Entrust Identity as a Service™ Administrator Help
Click here to see this page in full context

Report errors or omissions

  1. Home >
  2. Manage authenticators >
  3. Manage device fingerprint attributes

 

Device fingerprint attributes

Device fingerprint attributes validate a machine authentication when Device Fingerprint Required is selected in the machine authenticator settings.

Note: Changes made to the device fingerprint attributes are saved automatically.

The following device fingerprint attributes cannot be changed:

Attribute nameAttribute names are typically related to properties (in a device library or Web browser) that have values that can be obtained through a query.

Type—Defines how attributes can change over time. Type includes:

ConstantConstantAttributes that do not change, or change very rarely. Examples include screen dimensions or an operating system name.

ListListAttributes with values that are lists of items and can change over time. Examples include a list of fonts installed on a device or a list of languages supported.

VariableVariableAttributes that are likely to change over time. Examples include lists of applications or enabled options on mobile devices, or the time zone setting on a laptop computer used for business travel.

VersionVersionAttributes that are subject to change, some frequently, like browser versions, some less often, like operating system versions.

Set device fingerprint attributes

Click > Policies > Device Fingerprinting. The Device Fingerprint Attributes page appears.

Select the type of device fingerprint, from the drop-down list. The options include:

Web Browsers (the default)

iOS Apps

Android Apps

Click for the Attribute you want to modify. The Device Fingerprint Attribute dialog box appears.

 Modify the attributes, as required.

Select Enabled  to include the attribute in the device fingerprint. If Enabled, your application must collect this attribute from the Web browser or device to use it in the device fingerprint calculation.

Edit the Change Threshold as required. The Change Threshold is a number that represents how much the attribute can change from one user authentication attempt to the next without incurring risk. Not all attributes have a change threshold. For more guidance, see "How the threshold is calculated for each attribute type."

Example: A Web browser might change from version 1 to version 3. If the change threshold is 2 or more in this example, the browser is not flagged as different.

How the change threshold is calculated for each attribute typeHow the change threshold is calculated for each attribute type.

For an attribute of Constant type, the change threshold should be very low. Change to this type of attribute is rare, and often would indicate that a user is trying to authenticate from a different Web browser (for example, a computer with a new operating system is essentially a different computer).

For an attribute of List type, the change threshold value represents the number changes to the list through addition or deletion of items since the last time a user authenticated. A change to the name of a list item would count as two changes (deletion of the item with its old name and addition of an item with its new name).

For an attribute of Variable type, the change threshold value is the number of characters that have changed. To construct the previous value of an attribute from the current value, each addition, subtraction, or movement of a character counts as one change. If the number of required changes exceeds the change threshold, then risk is incurred.

For an attribute of Version type, the change threshold is a dotted numeric string like the attribute value itself. For example, if the change threshold is 1.2, it means that if the major version of the software associated with the attribute (for example, the operating system) increases by more than one and the minor version increases by more than 2, it incurs risk. With the 1.2 change threshold setting, the other numbers in the operating system version (that might represent a build number, for example) would be ignored. Those numbers could change by any amount without incurring risk.

Select Must Match to require that the attribute value obtained during a new authentication attempt must match the value obtained for the last successful authentication attempt.

If the attribute does not match, the attribute incurs the number of risk points shown in Non-Matching Risk Points for that attribute. The Non-Matching Risk Points values of every non-matching attribute are added together, resulting in a total risk score, which applies to the resource rule for machine authentication.

This score is normalized to be out of 100 as follows:

Total Risk Score = (Total Risk Points of Failing Attributes / Maximum Risk Points of All Enabled Attributes) * 100

Assign a Non Matching Risk Points value to each attribute, as required. The default is 10. You can change the values if you believe that some attributes represent greater risk than others.

Example: A browser version might be updated frequently so change in that attribute might represent very little risk. Change in an operating system, however, is rare and may mean that the authentication attempt is coming from a different computer. For this attribute, you might increase the Non Matching Risk Points value.

Click Save.