>
Policies
>Authenticators.
Machine Authentication provides identification information on the Web browser being used to access an application. The resource rules that protect your applications can then be configured to check for registered machine authentication when assessing a user's risk. When configured, the resource rule compares the attributes of a Web browser's Machine Authentication with the copy of the machine authentication information recorded in the Identity as a Service account.
A risk point score is assigned to the user for every difference found between the attribute value recorded in the machine authentication on the Web browser with that on the Identity as a Service account. The total value generated from this test is combined with the values from the other risk-based authentication tests to generate a total risk score. The score defines the level of authentication required to access the application according the Authentication Decision settings for each resource rule.
Identity as a Service validates the Web browser using a machine secret generated by the user when creating an Machine Authentication from that browser. Identity as a Service copies the machine secret from each Machine Authentication into its repository.
Modify machine authenticator settings
1. Click
>
Policies
>Authenticators.
2. Select Machine Authenticator. The Machine Authenticator settings appear.
3. To allow users to use Machine Authentication, click Enabling this feature allows users to register a Machine Authenticator. If selected, when a user logs in using the minimum authentication level or higher, a Remember Me option appears on the log in screen for the user to assign machine authentication.
4. If you select the allow users to use Machine Authentication, modify the following settings as required:
a. From the Authenticator Required for Machine Registration drop-down list, select the authenticator that is the minimum level used to register a Machine authenticator to a Web browser when logging in.
Note: Password + OTP, Password + Token, Password + Token Push, and Password + Mobile Smart Credential Push authentications can only be performed when logging in to specific applications. If any of these options are selected, a Machine authenticator cannot be registered when logging in to an Identity as a Service account.
b. Set Maximum Number of Machine Secrets to the number of computers a user can have registered. Setting the value to 1 disables machine secret storage and machine authentication. The maximum value is 20.
c. Under Machine Authenticator Security Level, select one of the following:
– Machine Nonce Required to require a machine nonce be part of the machine secret used for authentication. This is the default setting.
Including a machine nonce as part of the machine authentication allows those willing to have cookies stored on their Web browser to leverage machine authentication. The machine nonce (and/or sequence nonce) is stored in the local storage folder of the Web browser. Identity as a Service references that number during machine authentication to validate that the number included matches the number recorded by Identity as a Service. Machine authentication is successful when both numbers match. The unique number sent to the Web browser used when creating each machine authentication also allows Identity as a Service to differentiate between Web Browsers with highly similar attributes.
– Sequence Nonce Required to require a sequence nonce for authentication. This increases security by reducing the validity period for the machine information and making it more difficult for an attacker to steal a machine secret without being detected.
Including a sequence nonce makes it very difficult for an unwanted party to copy a machine authenticator from one Web browser to another. A sequence nonce is created after each successful authentication and stored on your Web browser for the next one. Copying over a machine secret from one Web browser to another is insufficient to log in successfully if the latest sequence nonce is not included.
– Device Fingerprint Required to require a device fingerprint for authentication. See Manage device fingerprint attributes.
Note: Entrust recommends including a machine nonce as it provides the highest level of security. Only disable this setting if machine secrets cannot be stored on your users' computers. Machine secrets cannot be stored on the client computer if cookies or Flash are disabled. If this setting is disabled, you must enable Device Fingerprinting Required for Machine Authentication to be available.
d. Set Machine Risk Limit to the maximum total number of non-matching risk points allowed before a machine authentication attempt fails.
The authentication level set must be less than this value. A value of 0 means no risk is allowed and a device fingerprint must exactly match the one used for the last successful authentication. The maximum value is 50.
e. Set Machine Secret Lifetime in Hours to set the lifetime, in hours, of a machine secret. A value of 0 gives the machine secret an infinite lifetime. The maximum value is 876,000 hours, or 100 years.
f. Select Count Failed Machine Authentication to count every failed machine authentication as a failed login attempt, which counts toward the number of failed attempts required to lock a user out of their account.
5. Click Save.