Administration Console

Critical: Securing your administrator accesses

Administrator accounts are the most important accounts because they provide access to the administration console. Access to the administration console should never be lost! To protect against this, TrustBuilder strongly advises the following:

Use Helium backup (applicable to all types of users)
Enroll at least 2 devices (applicable to all types of users)
Create at least a second administrator account
Generate an API certificate and keep it carefully in a secure place

For more information: Securing your Administrator access

Email alerts

In order to preserve their access, administrators will receive alert emails: 30 days, 2 weeks and 1 week prior the expiration of one of their tools.

Accessing the Administration console

Administrator access is activated on the computer, when you are setting up your service (Trial or Enterprise)

The address of your administration console is: https://www.myinwebo.com/console/logon

You must activate a device/web browser to gain access to the administration console, and you

must be an administrator (i.e. have administration access) to access this administration console.

Administration console overview

Select the service you want to manage
Manage and troubleshoot your user accesses in the "Service Users" tab
Manage User groups and security policies in the "User Groups" tab
Configure your secure sites and applications in the "Secure Sites" tab
Configure your security / authentication service in the "Service parameters" tab
Read your reports and analyze your activity in the "Usage Reports" log

Defining Service Parameters

In the service parameters tab (5), you have to provide details for standard "users" (users who are not members of a group).

Authentication mode:

Without PIN: the user's PIN is not required to generate an OTP with Authenticator and Virtual Authenticator.
With PIN: the user's PIN is required to generate an OTP with Authenticator and Virtual Authenticator.

Configuring Authenticator app, default restriction

If a mobile phone is registered on the user profile, set TrustBuilder Authenticator (mobile/desktop) parameters.

TrustBuilder Authenticator (mobile/desktop)
Setting	Description
Activated	Yes → Authenticator app is proposed to the user in the standard activation pages. No → Authenticator is not proposed to the user in the standard activation pages
Activation on mobile allowed	Yes → The activation of Authenticator mobile is allowed. No impact. No → If a user tries to activate Authenticator mobile, the activation will be blocked by the platform and the user will receive an error. This parameter is about blocking the activation. No impact on activation page, no impact on authentications.
Activation on desktop allowed	Yes → The activation of Authenticator desktop is allowed. No impact. No → If a user tries to activate Authenticator desktop, the activation will be blocked by the platform and the user will receive an error. This parameter is about blocking the activation. No impact on activation page, no impact on authentications.
Maximum number of devices	Limits the maximum number of smartphones a user can register. (0 for unlimited) You must define a strict restriction on the number of devices allowed for a standard user for standard users (users who are not members of a group). Note that a group membership with a "security policy" will override this default restriction.
Tools automatically blocked after	Limits the maximum number of days a device may remain inactive before being blocked. (0 for unlimited)
Tools automatically deleted after	Limits the maximum number of days a device may remain inactive before being deleted. (0 for unlimited)
Authentication with biometrics allowed	Yes → the user can authenticate using biometrics. No → the user cannot authenticate using biometrics.
Authentication with biometrics only	This setting cannot be changed. To be compliant with the GDPR (General Data Protection Regulation), the user should have the choice to use biometrics or not.
OTP format	This setting allows you to set the offline OTPs format. The online OTPs format is always 8 characters. You can choose the offline format based on what your authentication interface supports. 8 digits → OTP is a string of 8 numbers. 6 characters alphanum → OTP is a string of 6 alphanumerics characters (letters and numbers) 7 characters alphanum → OTP is a string of 7 alphanumerics characters (letters and numbers) 8 characters alphanum → OTP is a string of 8 alphanumerics characters (letters and numbers) Choose OTP length according to the security level required, meaning the probability of finding the correct OTP by luck or brute force: the longer the OTP, the safer it is.
Allow online OTPs	Yes → Authenticator will first try to generate online OTP. No → Authenticator will not try to generate online OTP. In this setting, if Online OTP cannot be generated, then Offline OTPs are generated as a backup for an occasional use case. For mostly offline use case, you should set the full Offline mode.
Enable OTP in full Offline mode	The "full offline mode" is used when TrustBuilder MFA is needed to open a network connection. Yes → enables Authenticator to generate OTPs for always offline users. Set it when the use case for generating OTP is mostly offline. No → disables Authenticator to generate OTPs for always offline users. Enabling the OTP in full Offline mode does not mean that all users will always be offline. You can enable full offline mode for always offline users while allowing online OTPs for others users. After generating an OTP, users should wait 50 seconds to generate a new OTP. Error cases In order to resynchronize Authenticator and the TrustBuilder MFA service, 2 OTPs are needed in a short time (less than 15 minutes). In the following scenarios (in full offline mode): OTP input error, a generated OTP is not submitted, a generated OTP is submitted late, the next OTP will be rejected. The user will have to generate another OTP: this one will be validated.
Selfcare access	Yes → The user can manage their account by themselves from the Authenticator application (PIN management). No → The user cannot manage their account by themselves from the Authenticator application. The Selfcare function is accessible to users that have a pin. In a service without pin, Selfcare will be accessible to administrators only.
Audit access	Yes → the user can access to their audit. No → the user cannot access to their audit.
Allow QR scan authentication method	Yes → the user can use the QR code scan method to authenticate. The “Scan a QR code” option will appear in the home of TrustBuilder Authenticator app. No → the user cannot use the QR code scan method to authenticate Users may be unable to scan the QR code for any reason, for example when the QR code is displayed on the same device that has the camera. In such cases, we propose alternative authentication methods that appear as links below the QR code: Open Authenticator. This is a deeplink (direct link) to Authenticator app on the same device (mobile or desktop) to approve or reject the authentication request. It requires to have Authenticator installed on the same device. ⚠️ The deeplink alternative is not displayed on mobile in a webview as it is not supported by common commercial applications. Note: to display the deeplink in every case including this case, add `?dlmobile=true` at the end of the authentication URL. Sign in by entering a code (OTP) provided by Authenticator. This alternative method works in all situations. Although not a very common scenario, when the QR code is displayed on a phone it is also possible to use another phone to scan it. More information about the QR code authentication method

Configuring Virtual Authenticator / browser, default restriction

Activated: Yes or No - to enable authentication via the Virtual Authenticator interface
Maximum number of devices: the maximum number of browsers a user can register with Virtual authenticator for this service

Note: A user can activate an unlimited number of browsers with his TrustBuilder identity, but only the specified number of devices can access the service.

Configuring Helium / browser, default restriction

If you are using Helium, you can configure the following settings:

Activated: Yes or No / to enable authentication via the Helium interface
Maximum number of devices: the maximum number of browsers a user can register with Helium for this service
Helium authentication mode: Without password: the user's password is not required to generate an OTP and With password: the user's password is required to generate an OTP

Recommended maximum number of devices for standard users

The values indicated in the "Service Parameter" tab represent default values and the minimum number of devices a standard user can enlist, this should be the strict minimum:

TrustBuilder Authenticator (mobile): 1
Virtual Authenticator (browser): 1
Helium (browser): 1
Maximum number of devices of all types: 2 (At the bottom of the page)

Activating Transaction sealing

If you have requested the transaction sealing option from TrustBuilder.
You'll be able to enable it for your service in the "service parameters" tab

For White label and legacy offer: in the "mAccess" section (if enabled)
For Standard offer: in the "General settings" section

Change the "Transaction sealing" option to >Yes<

Defining groups and security

Creating a security policy for a group

In the User Groups tab, click the "Manage the security Policies", above the Service ID.

You'll reach the "Manage Security Policies" page, in this page you can edit specific policies applied to groups.

Create a new policy with the button or edit an already existing one by clicking on it.

It is up to you to decide whether your policy will be more generous than the default security settings.

Once you set the security you can save it and apply it to a group.

How to manage groups

When you reach the User Groups tab of the administration console, you see the groups which have been created for this service.

You can Create, Edit or Delete groups via this interface.

Creating a group

If you decide to create a Group you will reach a page displaying:

The name of the group you want to create
The security policy you previously created
The secure sites the users of the group can see,

The shaded boxes in front of a "secure site" indicates the sites available for all users in the service.

You may select/check the sites the group will see.

Restricting the Secure site visibility to a specific group.

To restrict the visibility of a Secure site only to a specific group, you have to edit the Secure site / Application in the "Secure Sites" tab of the console,

and check the Give Access / Only to defined groups of users.

Synchronizing with IWDS

If you are using IWDS, you have to create the same number of groups as the number of LDAP groups you want to synchronize with IWDS:

Once you have created these groups in the Administration console you have to associate them to LDAP group/UO in the IWDS console.

*LDAP group mapping tab in IWDS

Viewing a group's list of users

When you edit a group, you'll see the button "View all group users" available.

When clicking on this button, you'll reach the "Service Users" tab with the users filtered by the group you have selected.

This allows you to view only the members of this group and to perform the targeted action.

Managing roles and group administration

Defining Roles

When clicking on the "Service Users" tab, you'll see the "Manage User Roles" button above the Service ID

You can "Add a new role" or Edit existing roles.

Creating a new role

To define a new role, you select (check box) the features and tabs available for this role, at your convenience.

When creating a new role it's recommended to create a new user and to test the access / restrictions with another activated browser to see the result of your restrictions.

When you modify an existing role it is advised to Log out - Log in to ensure the role has been correctly updated.

Group administration

If you want to assign a role to a restricted group:

You should create a "Group Administrator" role, with the following attributes:
You select "User" role as User service role parameter
You select the group you want to manage at the bottom of the profile
You select the newly created "Group Administrator" role for this group

You'll notice that there is no standard Administrator role available for a group, so you should assign the user the Group Administrator role created previously.

Managing users

Adding new users

To add a user to the interface, you can use the button "Add a new user" (1),

An empty user profile will be displayed, only the login is mandatory (2).

If you input an Email address, you can directly send an Activation link in an email to the new user.

(3) and (4). In the "User service role" section (5), you may select the role that will be assigned to the user for the whole service. (User, Administrator,...)

For (6) and (7) you can add the user to a group with a user role or a customized role

Optional - You can specify the user first name and last name. Note that the following special characters ' . - _ ! # ^ ~()[] are authorized.

If the "Send an activation email" is not selected, when saving the user you should retrieve the activation code in the Administration console:

This Activation code has a duration of 30mn.

Unlocking / Password locked

If a user has made 3 attempts to login with a wrong password, he will be locked.

If the user has not deleted all his devices, you can send him the following elements to unlock one of his tools:

An unlock code with immediate use (A code you can use to reset your password) it has a duration of 30mn
An unlock link sent by mail (The user will receive in his mail address a link to create an unlock code)
An unlock link with immediate use (It will display a link to give to the user to create an unlock code)

If the user has deleted all his tools, as there are no locked tools, the user status will not show the locked state, you will have to perform a "User Restore" procedure.

User restore

The user restore procedure will delete and recreate an identical user, this procedure will create an activation code which will also unlock the user, after confirmation of the "restoration" procedure. The user profile will close and a new activation code will be displayed in the interface, at the top of the "Service user" tab

When asked for an unlock code, the user will use this activation code to unlock his account and activate a new device at the same time.

Deletion

You can easily delete an TrustBuilder user with the "trash can" at the end of the line.
You can also select/check multiple users and select "Delete selected users from service" at the bottom of the page if you want to perform a mass delete of users.

How to search and filter your users

In the "User tab" you have access to the "Filter Users" button, it will display a menu to search and filter your user list.

Search by login name
- If the login contains a "\”, you should to enter "\\" in the filter to find it. - Example: to find the login "test\user" you should filter on "test\\user"
- The character "_" is a wildcard character that replaces or represents any character. - Example: you can find the login "test\user" by filtering on "test_user"
Filter by group
Filter by status (Activated, Pending Activation, not activated)
Display users with no activity → since >?< day(s)

You can for instance, Filter all users without activity for 60 days and select them for deletion.

This operation can display Administrator level accounts. Be sure to verify the user's status before a deletion operation

Accessing Reports and Troubleshooting

Accessing Reports

In the "Usage Reports" tab, you have access to the following Reports:

Authentications
User provisioning
User activation
Service Parameter Updates

These reports are available through the combo box at the top of the page

Troubleshooting user provisioning, activation and deletion

The "User provisioning" reports display all operations performed on users such as their creation, activation and update for the service in question along with error messages.

Troubleshooting tool/device and user access

If the users lock a tool or a device, it is important that they don't delete or clean their Web browser,
as they will delete their information and it will be harder to recover their access without an activated device.

The administrator can see in the user profile that the user PIN code is Locked, he can also see the tools which are concerned:

Email templates

Customizing email Templates

Go to Service Users > Customize Email templates to access to all the service email templates which will be sent to your users (in French or English).

Note: Customizing Email Templates usage is not granted by default with Trial accounts. It can be unlocked simply by requesting it to your Partner or Reseller.

You can customize the following email templates: 1st activation email, Confirmation email, Add new device email, Unlock device email.

Under the text block, you will find a list of variables you can use to compose your email and to access user data.

_SERVICE_ displays the name of the service for which the email is sent (can be inserted into the subject and the body)
The following variables can be inserted into the body only:
- _LINK_ displays a link opening a generic activation page allowing the user to choose between a mobile or browser activation
- _LINK:BROWSER_ displays a link opening a browser activation page (Virtual Authenticator or Helium according to your service settings)
- _LINK:MOBILE_ displays a link opening a mobile activation page (TrustBuilder Authenticator or mAccess)
- _CODE_:
  - For “Add new device email” and “1st activation email“ → allows to retrieve the 3-week long code generated. A call to TrustBuilder API (loginGetCodeFromLink) is required to convert it into a final activation code
  - For “Unlock device email” → displays the unlock code
- _FIRSTNAME_ displays the user's first name
- _LASTNAME_ displays the user's last name
- _LOGIN_ displays the user's login name
Link to download page: https://www.myinwebo.com/enroll/?code=_CODE_
link to redirect users to a webpage that displays download links for TrustBuilder Authenticator app. It also displays the activation code (and QR code for mobile activation) to be used after Authenticator installation.

Example:

CODE

Hello _FIRSTNAME_ _LASTNAME_,

An account has been created for you on _SERVICE_ secured by TrustBuilder authentication service.
Your login is _LOGIN_.

Click on the link below to activate a first trusted device:
For browser activation: _LINK:BROWSER_
For TrustBuilder Authenticator application: https://www.myinwebo.com/enroll/?code=_CODE_

TrustBuilder team

Adding deeplinks in email templates

To enhance user experience, you can also insert deeplinks to redirect users straight to the activation screen of TrustBuilder Authenticator app. You may use one of the links below depending on your use case.

Activation (mobile app only): https://near.myinwebo.com/enrole/activate?code=_CODE_
redirects users straight to the activation screen of TrustBuilder Authenticator app, with the activation code already filled-in. This deeplink is only reachable when users click the deeplink from a mobile device where TrustBuilder Authenticator is already installed.
Activation (desktop app): inwebo://enrole/activate?code=_CODE_
redirects users straight to the activation screen of TrustBuilder Authenticator app, with the activation code already filled-in.
⚠️ In some email clients, this deeplink may not be clickable. The solution is to copy/paste it in a browser. We recommend including this information in the email template.

Example:

CODE

Hello _FIRSTNAME_,

To add a trusted device and safely sign in to _SERVICE_ click on the link below.

For mobile application: https://near.myinwebo.com/enrole/activate?code=_CODE_
For desktop application: inwebo://enrole/activate?code=_CODE_ (if not clickable copy and paste the link into your browser)

To install Authenticator on your device go to this page from your device https://www.myinwebo.com/enroll/?code=_CODE_ 

TrustBuilder team