12.5.6. Site Keys

XACCESS Site Key: Secure Your Locations with IP-Restricted Access

What is the XACCESS Site Key?

  • The XACCESS Site Key designates a network as an Approved Location (a “Safe Zone”) within the XACCESS ecosystem, enabling precise, IP-based control over where logins are permitted.
  • A Site Key can be a small hardware device (Ethernet, plug-and-play) or a managed XNET router operating in Site Key mode (no extra hardware required).
  • Important: A Site Key does not automatically bypass XACCESS for everyone. Whether the XACCESS challenge is required depends on the account type and policy (see “Key Rules at a Glance”).
  • Site Keys can both enable convenience at approved locations and enforce geo-lock so that certain users can only log in from specific, Site-Key-approved locations.

XACCESS hardware token illustration

Key Rules at a Glance

  • Personal Accounts (one person, their own XACCESS token):
    • Challenge required everywhere (including at Site Key locations) — user enters their 6-digit token.
    • After success, XACCESS auto-expires the account after the configured window (e.g., 8 hours).
    • Geo-lock option: If you assign one or more Site Key locations to the person, they are restricted to those locations. Even with a valid token, logins from anywhere else are denied.
  • Shared / “Challenge-Skipped” Accounts (two or more people use the same login):
    • Inside any Approved Location, login becomes password-only (no XACCESS token challenge).
    • XACCESS does not manage AD expiry for these accounts (it cannot predict who needs access next).
    • No per-site restriction: Shared Accounts cannot be limited to a subset of Site Keys; they can be used from any location that has an active Site Key for your environment.
    • Perimeter remains strong: From unapproved networks (no Site Key), access is blocked.

Use Cases for the XACCESS Site Key

  • Foreign BPO (Business Process Outsourcing) Centers
    Restrict access to company systems so staff can log in only from designated offices. Site Keys enforce location while Personal Accounts still require a token challenge; Shared/Challenge-Skipped accounts (if used) are password-only inside those offices.
  • Retail Point-of-Sale (POS) Security
    Approve store networks for POS terminals. Staff on-site can operate with minimal friction. Remote access from outside is blocked by XACCESS.
  • Enterprise Offices with Location-Based Access Controls
    Enforce that work occurs only from corporate offices. Use Personal Accounts (token + auto-expiry) with optional geo-lock for maximum control. Keep any Shared/Challenge-Skipped accounts to tightly controlled scenarios.

How It Works

  • Install a Site Key (hardware or XNET router mode) on the office network; the location becomes an Approved Location.
  • Account behavior at Approved Locations:
    • Personal Accounts: XACCESS challenge required; account auto-expires after the configured window. If the person is site-restricted, only these locations are allowed.
    • Shared / Challenge-Skipped Accounts: Password-only inside Approved Locations; XACCESS does not expire these accounts.
  • Outside Approved Locations:
    • Personal Accounts: Challenge is required on safe networks; if geo-locked to Site Keys, logins from elsewhere are denied.
    • Shared / Challenge-Skipped Accounts: Access is blocked (no Site Key present).

Why Choose XACCESS Site Key?

  • Enhanced External Security — XACCESS blocks access from unapproved networks, reducing remote attack surface.
  • Precise Location Control — Site Keys authorize where logins can occur; Personal Accounts can be geo-locked to specific sites.
  • Seamless On-Site Experience — Optional challenge-skip for specific accounts in controlled scenarios (e.g., kiosks) to reduce friction.
  • Flexible Deployment — Hardware Site Key or XNET router mode; fast rollout with minimal configuration.

Guidance & Best Practice

  • Prefer Personal Accounts + Tokens for individual staff to preserve challenge + auto-expiry (even at Site Key locations).
  • Use Site Keys sparingly for convenience; primarily use them to enforce location and geo-lock where needed.
  • Avoid Shared Accounts where possible. If unavoidable, keep permissions minimal, enable strong passwords, activity logging, session locking, and frequent rotation.

Get Started with XACCESS Site Key

Ensure only authorized locations have access to your critical systems while maintaining strong authentication policies. Contact us to plan a deployment that balances convenience and security for your environment.

SUMMARY

Site Keys & Account Behaviour. A Site Key designates a location as approved but does not, by itself, bypass XACCESS. For Personal Accounts (one person with an XACCESS token), the user must complete the XACCESS challenge and the account will automatically expire after the configured window; if the person is assigned to specific Site Key locations, their account is restricted to those sites and cannot be used elsewhere. For Shared Accounts, XACCESS does not manage AD expiry and challenge is typically skipped on approved networks; Shared Accounts cannot be restricted to a subset of Site Keys and may be used from any location with an active Site Key for the environment. In all cases, XACCESS maintains strong external protection by blocking access from unapproved networks.

Need more help with this?
© 2021–2025 XSTRA Group Pty Ltd (Australia). All rights reserved.

Thanks for your feedback.