InVision guide to security

This guide is intended to provide customers with InVision best practices for securing your account, your services, and your data.

Security fundamentals

Using best security practices are as much the responsibility of our customers as it is ours. When your data is transmitted to, processed in or stored within InVision’s environment we employ the best controls in the industry to protect the confidentiality, integrity, and availability of your data. Prior to that, the customer should use extreme caution to ensure complete end to end protection of their InVisionapp service and personal data.

Protection of service data

The customer should ensure they are using a device with whole disk encryption enabled. iOS and Android devices encrypt data by default. All windows and mac laptops now provide the ability to disk encrypt data as well. It is recommended this is turned on to secure your InVisionapp service data on your device.

Mobile devices should also be protected with a reputable antivirus that updates frequently and scans in real time or on access all customer data uploaded, downloaded or cached locally from InVision’s service.

Account protection

This is the most important component of keeping your InVision account and data safe. One of the most common support tickets we receive is issues related to the security of an individual’s account. Accounts and their passwords should never be shared. Please keep in mind that sharing of accounts is strictly prohibited by InVision’s Terms of Service but you should be concerned on a deeper level due to the security risks that arise from sharing your credentials. InVision is not responsible for changed account passwords or account data deleted due to shared accounts.

User access reviews

As a best practice, it is recommended that customers review user accounts and their roles on at least a quarterly basis. This will ensure that only authorized and active user accounts continue to access your service.

Strong password authentication

InVision’s default password policy is simple. It is highly recommended that you use a strong password of at least 8 characters with complexity (upper case, lower case, alphanumeric, special character or symbol) or use a passphrase over 12 characters long. As a best practice use a password manager such as LastPass or 1Password which will auto generate a random and unique password for you and store within the password manager than can be installed across multiple devices.

If you have been notified or suspect that any account which shares the same password you use for InVision has been compromised, change your password immediately. HaveIBeenPwned is an excellent resource for identifying if any of your accounts credentials may have been compromised.

Two-Factor authentication is also supported for Enterprise customers and should be used (discussed more below).

Connect to secure WiFi or use an encrypted VPN agent

Never connect to and transmit authentication credentials over non-secure wifi. Secure wifi is an SSID with a lock that requires authentication and is encrypting your traffic from your device to the wireless access point (WAP). Even if you are connecting to InVision over https (SSL) your account can be compromised between your device and the WAP.

If non-secure wifi is your only option you should use an encrypted VPN agent that creates an encrypted tunnel around your data as it leaves your mobile device. Examples are encrypt.me and PIA but there are several dozen.

Security software and updates

Enable or perform updates on your device as they become available. These updates typically include security patches required to keep your device, applications, and data safe and secure.

Popups, phishing emails, and unknown links

As a reminder, you should never click on popups, internet advertisements or unknown links in emails you are expecting or from an unknown sender. Modern malware and viruses are installed and execute silently—meaning you are not aware of it happening or the damage it is causing until it is too late.

Education and training

It never hurts to stay on top of the latest security news especially those regarding internet, application, and endpoint vulnerabilities. The purpose of this guide is to help you keep your InVision account and data safe, but these tips will also help you keep your non-InVision account credentials and data safe and secure.

InVision provided security

The following security protections are provided as part of your service: Web application firewall, DDoS (Enterprise and Private Cloud only), encryption in transit, encryption at rest (Enterprise and Private Cloud only) 

Web application firewall

The web application firewall (WAF) is a security tool that protects your service from over 400 types of application layer attacks including OWASP top 10. This is one of the most important components SaaS can employ to protect customer data from attack, compromise, and leakage. All of our customers are protected by the WAF, and no action is required on your part.

Distributed denial of service (Enterprise and Private Cloud only)

DDoS is an added protection that identifies and prevents brute force attacks of leaked or unknown authentication credentials. This further assists in keeping your account credentials safe and secure.

Encryption in transit

Transmission of all data across the internet is protected with transport layer security (TLS) encryption. It is important you use a browser that supports the necessary protocols for best protection (more information on this below).

Encryption at rest (Enterprise only)

All personal data, authentication data and session tokens are encrypted at rest protecting account names, email addresses, passwords, IP addresses, and session states (tokens).

Encryption at rest (Private Cloud only)

Private Cloud customers also receive encryption at rest for all asset data such as uploaded and created design files and project data. This is an added component to protecting your sensitive and confidential intellectual property.

Accessing your service

The following may affect access to your service: Browser protocol support, web certificate validation, two-factor authentication or SSO, and IP whitelisting

Browser protocol support

Ensure your browser supports and connects over TLS 1.2 only. The latest releases of all modern (mainstream: Chrome, Edge, IE, Firefox, Safari) browsers support this natively. Further, most browsers will disable support for TLS 1.1 and below in 2020.

Validate web certificate

Verify that you are not logging into a spoofed link. Best practice is to always type out the known URL in your browser, however if clicking on a given link is more convenient ensure you validate the certificate.

InVision’s current sha256 certificate is issued by Cloudflare and looks like this:

(actual image may vary slightly by browser)

Use 2 factor authentication or SSO (Enterprise and Private Cloud only)

InVision supports SAML (including Okta, OneLogin, and ADFS) for Enterprise customers.

Visit this article for more information on how to configure SSO for your service.

Enterprise customers may choose to use local authentication using an InVision-specific password. In that case you should turn on two-factor authentication to prevent compromise from leaked credentials or brute force attacks.

Visit this article to configure two-factor authentication.

IP whitelisting (Enterprise and Private Cloud only)

It is strongly encouraged our customers use IP whitelisting to further protect their service against compromise. IP whitelisting will only allow your environment to be accessed from predefined IP’s.
Visit this article to find out more about IP whitelisting.

Service security

Enterprise and Private Cloud customers can configure the following service security settings: Password policies, session timeout, share link protection, password protection 

Password policies (Enterprise and Private Cloud only)

InVision provides our Enterprise customers the ability to meet any organizational or compliance password requirements. You can configure length, complexity, duration, and history.

Visit this article to configure a password policy.

Session timeout (Enterprise and Private Cloud only)

Session timeouts protect users whose device may be accessed by another individual, compromised, lost or stolen by terminating the active session in a predefined amount of time.

Visit this article to configure session timeout.

Share links (Enterprise and Private Cloud only)

There are two options for protecting share links depending on the organization’s intended use.

Require authentication

If share links will not be shared outside of your organization, requiring authentication will only allow access to the share link from a member of your organization (email domain) that has authenticated to your account. This prevents, even a publicly leaked URL, from being accessed by anyone outside of your company.

Visit this article to configure authentication.

Password protect

If share links will be sent outside of the organization, then it is highly recommended you password protect the share link.

Visit this article to learn how to password protect share links.

Mobile security

InVision mobile apps use the same authentication protections as the web app service. Whatever settings an organization has set will also apply to mobile such as SSO or 2FA.

Self preservation

As a general best practice, it is encouraged to use some form of lock on your phone such as pin/passcode, fingerprint, facial recognition, etc. Many phones are different and provide different ways to accomplish this. See your specific phone provider for assistance.

Native encryption

InVision’s iOS app uses native device encryption for iPhones that are 3GS or later.

Using WiFi

If connecting to WiFi with your mobile device, it is encouraged to follow the recommendation provided in the "Connect to secure WiFi or use an encrypted VPN agent" subsection (within the “Security Fundamentals” section above.