Account Management
At VGS, we only know that someone with your organization’s credentials has logged into our Dashboard. We do not track what you do on our site. This means that if an attacker is able to gain access to your customer configuration, they could reroute sensitive data to an unauthorized location. Therefore, it is critical that your enterprise create and enforce security policies related to VGS account management.
Strong authentication limits opportunities for unauthorized data disclosure. VGS customers create their organizations. You have access control, and you can configure unique access levels for each account. Every person in your organization should have their own account, and each account should have clearly understood roles, responsibilities, and access.
Remember the principle of least privilege. You should not grant administrative rights to everyone, and you should not give everyone access to everything. Authorized personnel should only have the permissions they need to perform authorized tasks. Some personnel merely require read-only permissions. Immediately deactivate accounts for personnel who leave your company.
Keeping your VGS accounts safe is critical to keeping your information private. Securely store access credentials on your own servers. Never share your personal passwords with anyone. Your VGS passwords should be unique to VGS. If you use your password on another site and that site is compromised, an attacker could reuse those stolen credentials to take over your VGS account.
You should enable VGS’s one-time password (OTP) feature as a part of your multi-factor authentication (MFA) protocol (located in Account Settings). OTP adds an extra layer of security to your account and is required for our live environment. It requires an additional, unique code from your mobile device to complete the login process, which is received via text message or generated from an app like Google Authenticator or Authy. If you have OTP enabled, a hacker will not be able to log into your account, even if they steal your username and password.
You should always beware of social engineering and phishing, because machines and people are both vulnerable to compromise. VGS occasionally sends email notifications, as well as our monthly newsletter. We only communicate from the verygoodsecurity.com domain, and any hyperlinks we send you will use HTTPS. If you receive an email from VGS that you did not expect, please hover over any hyperlink to verify that it really points to a page at verygoodsecurity.com.
If you think your account might be compromised (e.g., your password or OTP may have been stolen), please immediately reset your password by clicking “Don’t remember password” on the login form to reset your OTP, and log out from all active sessions. This feature is available under My Account, which you can find in the top menu.
To access the VGS Dashboard, we offer our customers the ability to configure a custom Single Sign-On (SSO) provider enabled by Security Assertion Markup Language (SAML) 2.0. An identity provider (IdP) such as Okta or Google is a trusted entity for VGS SSO.
SSO advantages:
Use one set of credentials (e.g., email & password) to access multiple applications
Reduce password fatigue so users are not required to remember multiple passwords
Simplify usage across different systems to increase productivity
Remove the administrative need to manage multiple accounts for one user
Simplify security & compliance reviews for onboarding new vendors
Custom VGS IdP
To learn more, visit our configuration page.
Backend Authentication
VGS only knows that a specific alias belongs to a specific customer. VGS does not interact with your authentication mechanism, and VGS does not know anything about your end users.
Therefore, VGS cannot determine when to reveal -- or when not to reveal -- an alias on your inbound proxy. If your backend is unsecured, an unauthorized party might create a free account and reveal your aliases.
This functionality must be managed at the backend, where the customer can decide which proxy requests to reveal. You should scope, generate, validate, and authenticate specific aliases to specific end users, and this functionality may be hard-coded.
A securely implemented backend should only allow the request if:
The authentication is valid and not expired.
AND
The account associated with the authentication mechanism matches the alias being requested.
It is extremely important to protect against the potential compromise of an authentication mechanism.
You may find additional authentication guidelines here.
Multi-Factor Authentication (MFA)
Enterprise digital resources should require authentication, where a user supplies their identity and evidence to prove the authenticity of that identity. Single-factor authentication is typically a simple password; however, a password can be stolen, guessed, or brute-forced with many attempts.
Therefore, we recommend MFA, where a user must supply at least two pieces of evidence: something they know (e.g., a password), something they possess (e.g., a smartphone), and/or something they are (e.g., a fingerprint).
A common practice is to install a third-party authenticator application that displays a random and constantly refreshing number or code, which the user enters for authentication. Some password managers also offer this service.
VGS is continuously looking for ways to improve security and minimize risk to our users, including for identity management. Our Identity and Access Management (IAM) system supports WebAuthN so you can easily and securely authenticate your MFA login with a single tap.
You can select which authentication method you prefer for login, including a one-time password (OTP) credential, a WebAuthn credential, or a password-less login (e.g., just WebAuthn). You can have multiple OTP devices and/or multiple WebAuthn devices. You can select which type of device to use during login, and which specific device to use.
OTP is a widely used industry standard for MFA. Its passwords (codes) have an incredibly short lifespan, and they are safer to use than SMS or other IAM solutions.
It is quick and easy to set up OTP. VGS makes sure that transitioning from your existing MFA solution to OTP is painless.
There are two simple steps:
When you log into the VGS Dashboard, enable one-time password (OTP)
Create a new password for your Dashboard
Each of these changes is followed by an email confirmation, a Dashboard notification, and a message in your customer channel.
Once you submit credentials (username/password) that are successfully validated, you are then led to the next factor for validation, which is when you enter your OTP.
Forced MFA Policy
MFA is enabled automatically for all users if the corresponding requirement is set on the organization level.
Good Passwords
A good password should be hard for a user to forget, but difficult for an attacker to guess. Simultaneously, these two goals can be a challenge to achieve. A good level of complexity typically requires a mix of character types, including at least one digit, at least one uppercase letter, and one symbol. Passwords should always be unique and never reused. Randomly-generated passwords are more difficult to guess or brute-force attack than user-chosen passwords.
Minimum length is key, and in general, the longer the better. Short passwords are vulnerable to brute force and dictionary attacks. The minimum length for your enterprise passwords depends on specific threat modeling and the level of your data sensitivity. For storage purposes, however, the length of a hashed long password is the same as the length of a hashed short password.
It is a good idea to maintain a list of unacceptable passwords, which may include dictionary words, company names, employee names, or passwords found in data breaches. One great website to check whether any of your email or phone numbers may have been affected by a breach is https://haveibeenpwned.com/. Remember: it is important not to write passwords down or to store electronic passwords in an unsafe manner.
VGS also recommends the use of a password manager, which is a computer program that allows users to generate, store, and retrieve complex passwords for applications and web services. They typically require a user to generate and remember one master password to access the rest of their passwords. They can even store other types of sensitive information, such as credit card data. Everything is stored in an encrypted database, which can be local or remote.
Last updated