User Account Management

At VGS, we only know that someone with your organization’s credentials has logged into our Dashboard. We do not track what you do on our site. This means that if an attacker is able to gain access to your customer configuration, they could reroute sensitive data to an unauthorized location. Therefore, it is critical that your enterprise create and enforce security policies related to VGS account management.

Strong authentication limits opportunities for unauthorized data disclosure. VGS customers create their organizations. You have access control, and you can configure unique access levels for each account. Every person in your organization should have their own account, and each account should have clearly understood roles, responsibilities, and access.

Remember the principle of least privilege. You should not grant administrative rights to everyone, and you should not give everyone access to everything. Authorized personnel should only have the permissions they need to perform authorized tasks. Some personnel merely require read-only permissions. Immediately deactivate accounts for personnel who leave your company.

Keeping your VGS accounts safe is critical to keeping your information private. Securely store access credentials on your own servers. Never share your personal passwords with anyone. Your VGS passwords should be unique to VGS. If you use your password on another site and that site is compromised, an attacker could reuse those stolen credentials to take over your VGS account.

You should enable VGS’s one-time password (OTP) feature as a part of your multi-factor authentication (MFA) protocol (located in Account Settings). OTP adds an extra layer of security to your account and is required for our live environment. It requires an additional, unique code from your mobile device to complete the login process, which is received via text message or generated from an app like Google Authenticator or Authy. If you have OTP enabled, a hacker will not be able to log into your account, even if they steal your username and password.

You should always beware of social engineering and phishing, because machines and people are both vulnerable to compromise. VGS occasionally sends email notifications, as well as our monthly newsletter. We only communicate from the verygoodsecurity.com domain, and any hyperlinks we send you will use HTTPS. If you receive an email from VGS that you did not expect, please hover over any hyperlink to verify that it really points to a page at verygoodsecurity.com.

If you think your account might be compromised (e.g., your password or OTP may have been stolen), please immediately reset your password by clicking “Don’t remember password” on the login form to reset your OTP, and log out from all active sessions. This feature is available under My Account, which you can find in the top menu.

To access the VGS Dashboard, we offer our customers the ability to configure a custom Single Sign-On (SSO) provider enabled by Security Assertion Markup Language (SAML) 2.0. An identity provider (IdP) such as Okta or Google is a trusted entity for VGS SSO.

SSO advantages:

• Use one set of credentials (e.g., email & password) to access multiple applications

• Reduce password fatigue so users are not required to remember multiple passwords

• Simplify usage across different systems to increase productivity

• Remove the administrative need to manage multiple accounts for one user

• Simplify security & compliance reviews for onboarding new vendors

• Enterprise VGS IdP

To learn more, visit our configuration page.