SecureAuth IdP Device Fingerprinting

Transcription

1 Technical Brief SecureAuth IdP Device Fingerprinting Low-Friction BYOD Authentication March 2015

2 Executive Overview The explosion of devices desktops, laptops, and now the plethora of mobile devices has left enterprises scrambling to properly control access to their resources. Simple username and password combinations are too easily compromised or forgotten, creating points of vulnerability. Though users may be comfortable with shielding their Facebook profiles behind single-factor authentication, enterprise information must be more strongly secured. But adding layers of authentication without compromising ease of use has proven to be an elusive goal. SecureAuth IdP s device fingerprinting delivers the flexibility, security, and convenience required to increase layers of authentication without creating high friction for users. In fact, device fingerprinting often actually improves the user experience. This paper explains what device fingerprinting is, how it works, and the many benefits it delivers for mobile and BYOD work environments. Assert Your Identity 2

3 Table of Contents What is Device Fingerprinting?... 4 How Does it Work?... 4 Registering a device to a user Validation during subsequent authentication attempts Key Benefits... 6 Enabling Devices to Evolve... 7 A heuristics-based solution you control Setting the weight for each device characteristic Evaluating whether it is the same device Example Secure Mobile Apps for Android and ios Integrated into SecureAuth IdP for All Resources Conclusion Assert Your Identity 3

4 What is Device Fingerprinting? SecureAuth IdP device fingerprinting is a revolutionary system designed to strengthen mobile security while simplifying the login and access process for users. Device fingerprinting enables secure and convenient access to all resources from any desktop or mobile device by capturing and storing a device s unique characteristics and saving them in the directory for future reference. How Does It Work? Each mobile device laptop, tablet, or smartphone has unique characteristics, including variations of HTTP headers, IP addresses, browser fonts, browser plug-ins, user data storage, and time zone. Using a heuristics-based approach, SecureAuth IdP device fingerprinting exploits this information for device registration and subsequent device validation. When a user first attempts to access enterprise resources from a particular device and is successfully authenticated, SecureAuth IdP pulls specific characteristics from that device and stores them in the directory, registering the device (Figure 1) Internet 1 2 Desktop and Mobile Based Users Enterprise 5 6 One or More Directories Figure 1: Registering a device to a user upon first access attempt Registering a device to a user + + A user attempts to access an application from a desktop or mobile device and is redirected to SecureAuth IdP for authentication A. + + SecureAuth IdP conducts a configurable authentication (single-factor, twofactor, three-factor, and so on) S. + + Upon successful authentication, SecureAuth IdP sends server-based commands to the client D to pull the unique characteristics (header, fonts, plug-ins, screen size, HTML5 storage facilities, IP address, cookie storage, etc.) from the device F. + + SecureAuth IdP creates a numeric representation of the values and stores it G to a local directory H that can be accessed by administrators and referenced by the authenticated user ID. + + The user is redirected with appropriate single sign-on (SSO) from SecureAuth IdP to the original target resource. Assert Your Identity 4

5 When the user makes subsequent access requests from the device, the registered characteristics are used to validate the user and device (Figure 2), delivering a low-friction user experience without sacrificing security Internet 2 Desktop and Mobile Based Users Enterprise 2 One or More Directories Figure 2: Once the device is registered to the user, subsequent authentications are low friction. Validation during subsequent authentication attempts + + A user attempts to access an application from a desktop or mobile device and is redirected to SecureAuth IdP for authentication A. + + The user supplies enterprise credentials, and SecureAuth IdP compares the fingerprint of the user s device against the directory S. + + If a match is found, SecureAuth IdP counts it as a successful second factor and returns an SSO token to the user for access to the VPN, cloud, web, or mobile resource D, with no SMS, telephony, or OOB authentication required. Assert Your Identity 5

6 Key Benefits By enabling companies to keep a record of the devices employed by each user, IdP device fingerprinting eliminates the need to impose high-friction authentication on subsequent access attempts. Users can work on multiple devices and multiple users can work on a single device all without high-impact authentication processes. In fact, device fingerprinting delivers all of the following benefits: + + Low-friction authentication Once a device has been registered to a user with device fingerprinting, that user is not burdened with multiple authentications for each subsequent session from that device. This dramatically simplifies the login and access process for users who frequently employ the same resources, especially portals. + + One user, multiple devices If a user who has a registered device attempts access from a different device, SecureAuth can be configured either to deny access or to usher the user through another enrollment so that the user can register the new device for subsequent access requests. In fact, a user s profile can house multiple device fingerprints to speed future validations. + + One device, multiple users When a shared device is first registered, it is linked to one particular user s profile, and that user is then able to work on the device without re-authenticating. If another user attempts to access enterprise resources from the same device, SecureAuth IdP will pull identifiers from the device and attempt to match them to any devices registered for that user. When that attempt fails, the system will recognize that the device has not been registered to this new user, and will redirect the user to the IdP for authentication before access is granted. Device fingerprinting will then store the device under the new user s profile, without altering or deleting any previous device registrations. + + Time-limited registration Users can be issued a time-limited registration, which forces them to re-register after a specified period. + + Easy device revocation SecureAuth IdP limits the risks associated with BYOD by offering one-touch revocation, which maintains security even if a device is compromised or a user leaves the company. An easy-to-use interface shows all the devices registered to a given user, and the administrator can revoke any device simply by unchecking it in the list. + + User self-management Users can register themselves, modify their profiles, reset their passwords, and revoke access on their own devices at any time without assistance from IT. + + No thick clients This is all accomplished without the need for any thick clients on the device. Assert Your Identity 6

7 Enabling Devices to Evolve A heuristics-based solution you control As we have seen, SecureAuth IdP device fingerprinting works by comparing a user s current device to the device s fingerprint stored in the directory. But of course, devices are constantly changing the operating system is updated, plug-ins are added or deleted, users change the screen resolution, and so on. In fact, more often than not, a device s specifications on subsequent authorization attempts will not be an exact match to the fingerprint on record. You don t want to cause high friction for the user by requiring two-factor authentication for minor changes, but you don t want to allow new devices to slip through unchallenged either. And you don t want to clutter up your directory by registering a new fingerprint whenever a device changes. Accordingly, whenever a user authenticates, the goal is to determine which of the following applies: 1) The device is mostly similar to a stored fingerprint and therefore should be accepted as is. 2) The device has undergone some minor updates and therefore the existing device fingerprint should be updated. 3) The device is new altogether and therefore a new registration is required. To accomplish this goal, SecureAuth IdP device fingerprinting uses a heuristicbased approach that you can customize to meet your unique needs and priorities. Setting the weight for each device characteristic Each device characteristic used in the device fingerprint is assigned a weight, which you can adjust to suit your environment as illustrated in Figure 3. Supported characteristics include: + + HTTP header information: User-Agent Accept Accept CharSet Accept Encoding Accept Language + + Browser plug-in list + + Browser flash fonts + + Device host address/ip + + Screen resolution + + HTML5 local storage + + HTML5 session storage + + IE user data support + + Browser cookie enable/disable setting + + Time zone Assert Your Identity 7

8 Because SecureAuth IdP is a multi-tenant solution, you can adjust these settings for each protected resource. Figure 3: You can specify how much weight to assign to each device characteristic. Evaluating whether it is the same device SecureAuth IdP device fingerprinting uses these weights to help determine whether a device matches a device already registered to that user. Specifically, upon the device registration, SecureAuth IdP generates a numeric fingerprint for the device and stores it in the directory, associating it with the user. For subsequent authentications, SecureAuth IdP re-examines the device with the same algorithm, creates a new numeric fingerprint, and calculates how closely the new fingerprint matches the stored one. The matching percentage the Device Certainty Score (DCS) is a number between 0 and 100. A DCS of 100 means the device seeking authentication is identical to the fingerprint on record; a DCS of zero means it is completely different. Recall that the goal is to determine whether the device should be accepted as is, the existing device footprint should be updated, or the device should be registered as new. Breaking the DCS into these three groups requires you to set two values, as shown in Figure 4: + + Match score The lowest DCS value that can be accepted before a new fingerprint is computed + + Update score The lowest DCS value that can be accepted before the user is required to re-register Assert Your Identity 8

9 Using these two values and the DCS, SecureAuth IdP can determine how to proceed with an access attempt: Device Certainty Score (DCS) 100 DCS >= match score If the DCS is greater than or equal to the match score, the device is considered pre-registered and no additional authentication is required. Match Score Match score > DCS > update score If the DCS falls between the match score and the update score, then the device is considered likely to be pre-registered but with a few characteristics changed. SecureAuth IdP will conduct a second factor and then update the fingerprint for the user in the directory. Update Score 0 Update score > DCS If the DCS is below the update score, SecureAuth IdP considers the device to be new. After conducting a secure second factor, it will register the device for the user by creating a device fingerprint for the new device and storing it in the directory for the user. Figure 4: By specifying match and update scores you can customize the rigidity of the validation process, enabling devices to evolve without users having to re-register. By setting the match and update scores wisely, you can ensure that users enjoy a low-friction authentication experience most of the time, that device fingerprints are updated when appropriate, and that new fingerprints are added only when necessary. Example For example, suppose a user registers his Windows 7 desktop, but before he returns, the system goes through a major upgrade, including browser plug-ins and system modifications. Upon his next usage, SecureAuth IdP would recognize that the device is the same, but the fingerprinting would reflect the variation. To be secure, the user would be required to re-authenticate, but rather than registering a new device, SecureAuth IdP would update the existing device fingerprint. Just as administrators can set preferences for all individual users with SecureAuth IdP, adjustments can also be made per authentication workflow to establish distinct heuristic requirements for individual applications. Assert Your Identity 9

10 Secure Mobile Apps for Android and ios For enterprises that require higher than normal security for mobile device access, SecureAuth offers device-specific mobile applications for Android and ios devices that augment browser-based fingerprinting. These applications execute native commands on ios or Android clients in order to extract device-specific information. The Android app is able to extract the serial number from the mobile unit; the ios app pulls the UDID for versions 5.0 and earlier, and the Advertiser ID for later models. Both platforms also extract the friendly name, such as Android Nexus Integrated into SecureAuth IdP for All Resources SecureAuth IdP device fingerprinting can be used for all enterprise resources, including: + + Enterprise web applications (SharePoint,.NET, J2EE, WebLogic) + + Network resources (Juniper, F5, Citrix) + + Cloud resources (Google, Microsoft, Salesforce, Taleo) + + Mobile applications (Android, ios, Windows) Conclusion With SecureAuth IdP s innovative device fingerprinting, your enterprise can now embrace BYOD and mobile business without sacrificing either security or ease of use. In fact, you can tailor the solution to meet your organization s requirements, determining when devices match a stored footprint closely enough to bypass further authentication and when they do not, so you can deliver a low-friction user experience while maintaining the security your organization requires. To learn more visit Assert Your Identity 10

11 8965 Research Drive Irvine, CA p: f: secureauth.com