As an added security measure, AWS Wickr Administrators can now enforce a verification email when users are adding a new device to their account. This feature provides IT/Security/Users the ability to prevent unauthorized access to their AWS Wickr accounts - commonly referred to as Account Take Over (ATO).
- When a Non-SSO user is adding a new device, require users to input/scan a Wickr generated code from their old device to onboard their new device or email verification.
- Outside of new devices (using ATO) and desktop 2FA, MFA is not supported.
- For mobile devices, Wickr provides users the option to use biometrics in lieu of their password.
- Available only in AWS Wickr
How it Works:
1. Admin Console
Only AWS Wickr Network Administrators can control this feature and is only available for non-SSO networks
- The admin can navigate to the Admin Console, select ‘Security Group’ and find ‘Account Takeover Protection’ option
- If the admin enables this option then users will have to go through 2FA flow when adding a new device.
- If there’s malicious activity (someone other than the authorized user who tries to add a device) the admin can go to event logging, enter a date and time and download the log. Once you open the event log, you can view a 'malicious event' on users' devices.
- If the admin disables account takeover then users will not have to go through 2FA flow when adding a new device and use their existing credentials to sign in.
- This is disabled by default.
2. Client-Side (All Platforms)
- Assumption: Your admin has enabled this feature in the admin console
- New Device - If you are adding a new device to your existing account, sign in with your username and password.
- You will view ‘Verify Device’ screen
- If you don’t have your existing device available then you can also verify using your email. If you select ‘Verify using email’. Wickr will send you an email with a verification code for you to enter. You can select ‘resend email’ and we will re-send you an email. Once you enter your verification code you will be able to log-in to your account successfully.
- If you enter the wrong verification code you will not be able to log in.
- Existing Device: If you do have your existing device/source available, you will receive a popup informing that someone is attempting to add a device to your account and confirm if it's really you
- On the popup, "Did you just sign-in?" you will view two buttons: 'Get Code' Button & 'Deny' Button
- Selecting "Get Code" will provide a verification code.
- Enter the code on your new device to sign-in to your existing account
- If you don’t receive the code then you can click ‘resend’ to get the popup again
- You must enter the correct code otherwise your account may get suspended based on your attempts.
- In the event of unauthorized access, an email will be sent to your admin to notify there’s an unexpected Wickr sign-in to a user’s account and your admin can take the appropriate action.
- You will also receive an email in case you or someone is entering the wrong verification code.
- If "Denied" is selected then you should be able to reject the new device and would not add to your account
- If denied, then the user can have the option to change his/her password.
- Rejecting a device will send an email to the admin of the network notifying them that there was suspicious activity going on their users' account and the Admin will be able to download the malicious event logs within the Admin Console
We hope you enjoy this feature! As always, continue to send in feedback! If you have any questions, please email firstname.lastname@example.org