Manage device fingerprint attributes

Device fingerprint attributes validate a machine authentication when Device Fingerprint Required is selected in the machine authenticator settings.

Note: Changes made to the device fingerprint attributes are saved automatically.

● Attribute name—Attribute names are typically related to properties (in a device library or Web browser) that have values that can be obtained through a query.

1. Click

> Policies > Device Fingerprinting. The Device Fingerprint Attributes page appears.

2. Select the type of device fingerprint, from the drop-down list. The options include:

3. Click

for the Attribute you want to modify. The Device Fingerprint Attribute dialog box appears.

5. Select Enabled to include the attribute in the device fingerprint. If Enabled, your application must collect this attribute from the Web browser or device to use it in the device fingerprint calculation.

6. Edit the Change Threshold as required. The Change Threshold is a number that represents how much the attribute can change from one user authentication attempt to the next without incurring risk. Not all attributes have a change threshold. For more guidance, see "How the threshold is calculated for each attribute type."

Example: A Web browser might change from version 1 to version 3. If the change threshold is 2 or more in this example, the browser is not flagged as different.

● For an attribute of Constant type, the change threshold should be very low. Change to this type of attribute is rare, and often would indicate that a user is trying to authenticate from a different Web browser (for example, a computer with a new operating system is essentially a different computer).

● For an attribute of List type, the change threshold value represents the number changes to the list through addition or deletion of items since the last time a user authenticated. A change to the name of a list item would count as two changes (deletion of the item with its old name and addition of an item with its new name).

● For an attribute of Variable type, the change threshold value is the number of characters that have changed. To construct the previous value of an attribute from the current value, each addition, subtraction, or movement of a character counts as one change. If the number of required changes exceeds the change threshold, then risk is incurred.

● For an attribute of Version type, the change threshold is a dotted numeric string like the attribute value itself. For example, if the change threshold is 1.2, it means that if the major version of the software associated with the attribute (for example, the operating system) increases by more than one and the minor version increases by more than 2, it incurs risk. With the 1.2 change threshold setting, the other numbers in the operating system version (that might represent a build number, for example) would be ignored. Those numbers could change by any amount without incurring risk.

7. Select Must Match to require that the attribute value obtained during a new authentication attempt must match the value obtained for the last successful authentication attempt.

If the attribute does not match, the attribute incurs the number of risk points shown in Non-Matching Risk Points for that attribute. The Non-Matching Risk Points values of every non-matching attribute are added together, resulting in a total risk score, which applies to the resource rule for machine authentication.

Total 
 Risk Score = (Total Risk Points of Failing Attributes / Maximum Risk Points 
 of All Enabled Attributes) * 100

8. Assign a Non Matching Risk Points value to each attribute, as required. The default is 10. You can change the values if you believe that some attributes represent greater risk than others.

Example: A browser version might be updated frequently so change in that attribute might represent very little risk. Change in an operating system, however, is rare and may mean that the authentication attempt is coming from a different computer. For this attribute, you might increase the Non Matching Risk Points value.