Authentication Settings (New UI)

The Authentication Settings page provides configuration options for the authentication methods used by VPAM users.

From this page, administrators can define authentication requirements and manage supported authentication methods.

To open the Authentication Settings:

  1. Open System Administration.

  2. Click Authentication Settings.

Authentication Requirements

Authentication Requirements allows a VPAM administrator to configure the multi-factor authentication (MFA) methods that users must use to access VPAM.

These settings apply to internal users and Vendor Reps. You can also configure authentication requirements for individual vendors on the vendor details page.

To open the Authentication Requirements page, go to System Administration > Authentication Settings > Authentication Requirements.

Select the network access requirement for users:

  • Allow access from any network

  • Only allow access from inside Authorized Trusted Networks

Specify whether users must verify their email address during authentication.

  • Yes

  • No

  • Only users outside Authorized Trusted Networks

Specify whether users must authenticate using a mobile device as a Second Factor.

  • Yes. When set to Yes, users must enroll in Mobile Authentication. On their next login, the system prompts them to complete enrollment; users cannot access VPAM until enrollment is complete.

  • No

  • Only users outside Authorized Trusted Networks

IMPORTANT:

Face Authentication is part of the Identity Assurance and Threat Detection package. This package includes facial biometric authentication and Identity Threat Detection and Response (ITDR). Contact your Imprivata Support representative for more information.

Specify whether users must authenticate using facial recognition as a Second Factor.

  • Yes. When set to Yes, users must enroll in Face Authentication. On their next login, the system prompts them to complete enrollment; users cannot access VPAM until enrollment is complete.

  • No

For more information about Vendor enrollment, see Face Authentication.

Authorized Networks

Authorized Networks define approved IP addresses or ranges from which Internal User authentication is permitted to access the VPAM server. This means that your internal users must be connected to an authorized network to access the server. This setting does not impact external users, such as customers or vendor reps. A similar setting is available to configure networks for Vendors. Read the Vendor Networks section of Vendor Management.

When you configure Authorized Networks, your server does the following when a login attempt occurs:

  • If the source IP address matches a defined network, authentication proceeds.

  • If the source IP address does not match, the system blocks the login or enforces additional policy controls, depending on your configuration.

This control applies at the server authentication layer and governs access to the VPAM server and API access when network restrictions are enforced for API keys.

You can use the feature to add single IP addresses or a range of IP addresses.

TIP:
Use a slash (/) to avoid typing every single IP address when using a range. Follow the example XX.XX.XXX.12/24
This example automatically inputs 13 IP addresses, from XX.XX.XXX.12 to XX.XX.XXX.24

Authorized Networks add a network-level security boundary in addition to standard authentication methods, such as passwords, directory services, SAML, and multi-factor authentication (MFA). Organizations commonly use this feature to:

  • Restrict Administrative Access: Limit administrator access to trusted networks, such as:

    • Corporate LAN ranges

    • Approved VPN address pools

    • Bastion or jump host networks

  • Enforce Corporate Network Access: Require users to authenticate only from:

    • On-network devices

    • Approved VPN connections

    • Managed infrastructure

  • Harden API Access: Restrict API key usage to approved systems, such as:

    • Designated application servers

    • CI/CD pipelines

    • Orchestration hosts

Imprivata recommends the following:

  • Confirm that your current IP address is included to prevent lockout.

  • Include all current and planned VPN IP ranges before enabling restrictions.

  • Maintain alternate administrative access, especially when using SAML.

  • Document corporate, disaster recovery, and cloud egress IP ranges.

  • Combine Authorized Networks with MFA for layered protection.

  • Review high availability (HA) and disaster recovery (DR) architectures to ensure all required systems are included.

  • Avoid overly restrictive configurations if:

    • External vendors require broad or dynamic access.

    • Users frequently authenticate from changing networks.

    • Public IP addresses are dynamic and unpredictable.

Risk-Based Authentication

IMPORTANT:

This feature requires the Identity Assurance and Threat Detection package. This package includes facial biometric authentication and Identity Threat Detection and Response (ITDR). Contact your Imprivata Support representative for more information: support@imprivata.com

When enabled, Risk-Based Authentication (RBA) automatically detect and take action against unusual login behavior. This additional layer of protection improves security without adding friction to trusted users.

For more information, see Configure Risk-Based Authentication.