Skip to main content

Manage Device fingerprint attributes

Device fingerprint attributes validate a machine authentication when Device Fingerprint Required is selected in the machine authenticator settings.

note

Changes made to the device fingerprint attributes are saved automatically.

The following device fingerprint attributes cannot be changed:

  • Attribute name. Attribute names are typically related to properties (in a device library or Web browser) that have values that can be obtained through a query.
  • Type. Defines how attributes can change over time. Type includes:
    • Constant Attributes do not change, or change very rarely. Examples include screen dimensions or an operating system name.
    • List Attributes are lists of items and can change over time. Examples include a list of fonts installed on a device or a list of languages supported.
    • Variable Attributes are likely to change over time. Examples include lists of applications or enabled options on mobile devices, or the time zone setting on a laptop computer used for business travel.
    • Version Attributes are subject to change, some frequently, like browser versions, some less often, like operating system versions.

Set device fingerprint attributes

  1. Click > Policies > Device Fingerprinting. The Device Fingerprint Attributes page appears.

  2. Select the type of device fingerprint from the drop-down list. The options include:

    • Web Browsers (the default)
    • iOS Apps
    • Android Apps

  3. Click for the attribute you want to modify. The Device Fingerprint Attribute dialog box appears.

  4. Modify the attributes as required.

  5. Select Enabled to include the attribute in the device fingerprint. If Enabled, your application must collect this attribute from the Web browser or device to use it in the device fingerprint calculation.

  6. Edit the Change Threshold as required. The Change Threshold is a number that represents how much the attribute can change from one user authentication attempt to the next without incurring risk. Not all attributes have a change threshold.

    Example: A Web browser might change from version 1 to version 3. If the change threshold is 2 or more in this example, the browser is not flagged as different.

    How the change threshold is calculated for each attribute type

    • Constant. The change threshold should be very low.

      Change to this type of attribute is rare, and often would indicate that a user is trying to authenticate from a different Web browser (for example, a computer with a new operating system is essentially a different computer).

    • List. The change threshold value represents the number changes to the list through addition or deletion of items since the last time a user authenticated.

      A change to the name of a list item would count as two changes (deletion of the item with its old name and addition of an item with its new name).

    • Variable. The change threshold value is the number of characters that have changed.

      To construct the previous value of an attribute from the current value, each addition, subtraction, or movement of a character counts as one change. If the number of required changes exceeds the change threshold, then risk is incurred.

    • Version. The change threshold is a dotted numeric string like the attribute value itself.

      For example, if the change threshold is 1.2, it means that if the major version of the software associated with the attribute (for example, the operating system) increases by more than one and the minor version increases by more than 2, it incurs risk. With the 1.2 change threshold setting, the other numbers in the operating system version (that might represent a build number, for example) would be ignored. Those numbers could change by any amount without incurring risk.

  7. Select Must Match to require that the attribute value from a new authentication attempt matches the value from the last successful authentication attempt.

    When an attribute does not match, it incurs the risk points defined in its Non-Matching Risk Points setting. The risk points from all non-matching attributes are added together to produce a total risk score, which is applied to the resource rule for machine authentication.

    The total risk score is scaled to a value between 0 and 100 using the following formula:

    Total Risk Score = (Total Risk Points of Failing Attributes / Maximum Risk Points of All Enabled Attributes) * 100

  8. Assign a Non-Matching Risk Points value to each attribute. The default is 10. Increase the value for attributes you consider higher risk.

    Example: Browser versions update frequently, so a change to that attribute carries little risk and can have a low Non-Matching Risk Points value. Operating system changes are rare and often indicate authentication from a different device, so that attribute should have a higher Non-Matching Risk Points value.

  9. Click Save.