SecureAuth IdP Device Fingerprinting



Similar documents
WHITEPAPER SECUREAUTH IDP DEVICE FINGERPRINTING LOW-FRICTION, BYOD AUTHENTICATION

SECUREAUTH IDP AND OFFICE 365

WHITEPAPER. SECUREAUTH 2-FACTOR AS A SERVICE 2FaaS

WHITEPAPER SECUREAUTH AND CAC HSPD-12 AUTHENTICATION TO WEB, NETWORK, AND CLOUD RESOURCES

The Top 5 Federated Single Sign-On Scenarios

Secure Access Control for Mobile, Cloud, and Web Apps

The increasing popularity of mobile devices is rapidly changing how and where we

ABOUT TOOLS4EVER ABOUT DELOITTE RISK SERVICES

WHITEPAPER SAML ALONE IS NOT SECURE - HERE S HOW TO FIX IT

Flexible Identity Federation

An Overview of Samsung KNOX Active Directory and Group Policy Features

EXECUTIVE VIEW. SecureAuth IdP. KuppingerCole Report

Agenda. How to configure

White Paper. FFIEC Authentication Compliance Using SecureAuth IdP

Two-Factor Authentication (2FA) Registration Instructions Symantec VIP Access

The Cloud, Mobile and BYOD Security Opportunity with SurePassID

Introduction to SAML

NCSU SSO. Case Study

An Overview of Samsung KNOX Active Directory-based Single Sign-On

Workday Mobile Security FAQ

ADAPTIVE USER AUTHENTICATION

Salesforce1 Mobile Security Guide

Mobile Protection. Driving Productivity Without Compromising Protection. Brian Duckering. Mobile Trend Marketing

A Standards-based Mobile Application IdM Architecture

White Paper. What is an Identity Provider, and Why Should My Organization Become One?

Gateway Apps - Security Summary SECURITY SUMMARY

STRONGER AUTHENTICATION for CA SiteMinder

TrustedX - PKI Authentication. Whitepaper

nexus Hybrid Access Gateway

A Guide to New Features in Propalms OneGate 4.0

Two Factor Authentication - USER GUIDE

Active Directory Compatibility with ExtremeZ-IP. A Technical Best Practices Whitepaper

expanding web single sign-on to cloud and mobile environments agility made possible

Single Sign On for ShareFile with NetScaler. Deployment Guide

WHITE PAPER. Smart Card Authentication for J2EE Applications Using Vintela SSO for Java (VSJ)

How to Implement Enterprise SAML SSO

Fairsail REST API: Guide for Developers

Initial DUO 2 Factor Setup, Install, Login and Verification

Web Applications Access Control Single Sign On

FileCloud Security FAQ

Copyright: WhosOnLocation Limited

BYOD How-To Guide. How do I securely deliver my company s applications and data to BYOD?

Alex Wong Senior Manager - Product Management Bruce Ong Director - Product Management

Single Sign-On Portal User Reference (Okta Cloud SSO)

How To Manage A Plethora Of Identities In A Cloud System (Saas)

Cisco ASA Adaptive Security Appliance Single Sign-On: Solution Brief

Connected Data. Connected Data requirements for SSO

Security Implementation Guide

Brainloop Secure Dataroom Version QR Code Scanner Apps for ios Version 1.1 and for Android

Google Identity Services for work

Office 365 deployment checklists

Total Enterprise Mobility

USING FEDERATED AUTHENTICATION WITH M-FILES

Swivel Secure and the Cloud

Office 365 deploym. ployment checklists. Chapter 27

Leveraging SAML for Federated Single Sign-on:

Kony Mobile Application Management (MAM)

Strong Authentication: Enabling Efficiency and Maximizing Security in Your Microsoft Environment

Two-Factor Authentication

How To Use Saml 2.0 Single Sign On With Qualysguard

SAML Authentication Quick Start Guide

Junos Space for Android: Manage Your Network on the Go

Identity. Provide. ...to Office 365 & Beyond

Where are Organizations Today? The Cloud. The Current and Future State of IT When, Where, and How To Leverage the Cloud. The Cloud and the Players

Allidm.com. SSO Introduction. Discovering IAM Solutions. Leading the IAM facebook/allidm

Architecture and Data Flow Overview. BlackBerry Enterprise Service Version: Quick Reference

CA Single Sign-On Migration Guide

SHARPCLOUD SECURITY STATEMENT

TRANSITIONING ENTERPRISE CUSTOMERS TO THE CLOUD WITH PULSE SECURE

Egnyte Cloud File Server. White Paper

Mobility, Security and Trusted Identities: It s Right In The Palm of Your Hands. Ian Wills Country Manager, Entrust Datacard

Single Sign On. SSO & ID Management for Web and Mobile Applications

SAML single sign-on configuration overview

Guide for Setting Up Your Multi-Factor Authentication Account and Using Multi-Factor Authentication. Mobile App Activation

Symantec Managed PKI Service Deployment Options

CA CloudMinder. Getting Started with SSO 1.5

AVG Business SSO Connecting to Active Directory

Web Access Management and Single Sign-On

How To Use Salesforce Identity Features

Mobile Iron User Guide

Increase the Security of Your Box Account With Single Sign-On

Citrix Ready Solutions Brief. CA Single Sign-On and Citrix NetScaler: Quickly Adapt to Your Dynamic Authentication Demands. citrix.

Adding Stronger Authentication to your Portal and Cloud Apps

SAML SSO Configuration

One platform for all your print, scan and device management

Advanced Configuration Steps

INTEGRATION GUIDE. DIGIPASS Authentication for Citrix NetScaler (with AGEE)

How to Get to Single Sign-On

White Paper. McAfee Cloud Single Sign On Reviewer s Guide

Interwise Connect. Working with Reverse Proxy Version 7.x

Using Entrust certificates with VPN

Frequently asked questions

White paper. Convenient Multi-Factor Authentication (MFA) for Web Portals & Enterprise Applications

Transcription:

Technical Brief SecureAuth IdP Device Fingerprinting Low-Friction BYOD Authentication March 2015

Executive Overview The explosion of devices desktops, laptops, and now the plethora of mobile devices has left enterprises scrambling to properly control access to their resources. Simple username and password combinations are too easily compromised or forgotten, creating points of vulnerability. Though users may be comfortable with shielding their Facebook profiles behind single-factor authentication, enterprise information must be more strongly secured. But adding layers of authentication without compromising ease of use has proven to be an elusive goal. SecureAuth IdP s device fingerprinting delivers the flexibility, security, and convenience required to increase layers of authentication without creating high friction for users. In fact, device fingerprinting often actually improves the user experience. This paper explains what device fingerprinting is, how it works, and the many benefits it delivers for mobile and BYOD work environments. Assert Your Identity 2

Table of Contents What is Device Fingerprinting?... 4 How Does it Work?... 4 Registering a device to a user Validation during subsequent authentication attempts Key Benefits... 6 Enabling Devices to Evolve... 7 A heuristics-based solution you control Setting the weight for each device characteristic Evaluating whether it is the same device Example Secure Mobile Apps for Android and ios... 11 Integrated into SecureAuth IdP for All Resources... 11 Conclusion... 11 Assert Your Identity 3

What is Device Fingerprinting? SecureAuth IdP device fingerprinting is a revolutionary system designed to strengthen mobile security while simplifying the login and access process for users. Device fingerprinting enables secure and convenient access to all resources from any desktop or mobile device by capturing and storing a device s unique characteristics and saving them in the directory for future reference. How Does It Work? Each mobile device laptop, tablet, or smartphone has unique characteristics, including variations of HTTP headers, IP addresses, browser fonts, browser plug-ins, user data storage, and time zone. Using a heuristics-based approach, SecureAuth IdP device fingerprinting exploits this information for device registration and subsequent device validation. When a user first attempts to access enterprise resources from a particular device and is successfully authenticated, SecureAuth IdP pulls specific characteristics from that device and stores them in the directory, registering the device (Figure 1). 4 3 5 Internet 1 2 Desktop and Mobile Based Users Enterprise 5 6 One or More Directories Figure 1: Registering a device to a user upon first access attempt Registering a device to a user + + A user attempts to access an application from a desktop or mobile device and is redirected to SecureAuth IdP for authentication A. + + SecureAuth IdP conducts a configurable authentication (single-factor, twofactor, three-factor, and so on) S. + + Upon successful authentication, SecureAuth IdP sends server-based commands to the client D to pull the unique characteristics (header, fonts, plug-ins, screen size, HTML5 storage facilities, IP address, cookie storage, etc.) from the device F. + + SecureAuth IdP creates a numeric representation of the values and stores it G to a local directory H that can be accessed by administrators and referenced by the authenticated user ID. + + The user is redirected with appropriate single sign-on (SSO) from SecureAuth IdP to the original target resource. Assert Your Identity 4

When the user makes subsequent access requests from the device, the registered characteristics are used to validate the user and device (Figure 2), delivering a low-friction user experience without sacrificing security. 1 2 3 Internet 2 Desktop and Mobile Based Users Enterprise 2 One or More Directories Figure 2: Once the device is registered to the user, subsequent authentications are low friction. Validation during subsequent authentication attempts + + A user attempts to access an application from a desktop or mobile device and is redirected to SecureAuth IdP for authentication A. + + The user supplies enterprise credentials, and SecureAuth IdP compares the fingerprint of the user s device against the directory S. + + If a match is found, SecureAuth IdP counts it as a successful second factor and returns an SSO token to the user for access to the VPN, cloud, web, or mobile resource D, with no SMS, telephony, or OOB authentication required. Assert Your Identity 5

Key Benefits By enabling companies to keep a record of the devices employed by each user, IdP device fingerprinting eliminates the need to impose high-friction authentication on subsequent access attempts. Users can work on multiple devices and multiple users can work on a single device all without high-impact authentication processes. In fact, device fingerprinting delivers all of the following benefits: + + Low-friction authentication Once a device has been registered to a user with device fingerprinting, that user is not burdened with multiple authentications for each subsequent session from that device. This dramatically simplifies the login and access process for users who frequently employ the same resources, especially portals. + + One user, multiple devices If a user who has a registered device attempts access from a different device, SecureAuth can be configured either to deny access or to usher the user through another enrollment so that the user can register the new device for subsequent access requests. In fact, a user s profile can house multiple device fingerprints to speed future validations. + + One device, multiple users When a shared device is first registered, it is linked to one particular user s profile, and that user is then able to work on the device without re-authenticating. If another user attempts to access enterprise resources from the same device, SecureAuth IdP will pull identifiers from the device and attempt to match them to any devices registered for that user. When that attempt fails, the system will recognize that the device has not been registered to this new user, and will redirect the user to the IdP for authentication before access is granted. Device fingerprinting will then store the device under the new user s profile, without altering or deleting any previous device registrations. + + Time-limited registration Users can be issued a time-limited registration, which forces them to re-register after a specified period. + + Easy device revocation SecureAuth IdP limits the risks associated with BYOD by offering one-touch revocation, which maintains security even if a device is compromised or a user leaves the company. An easy-to-use interface shows all the devices registered to a given user, and the administrator can revoke any device simply by unchecking it in the list. + + User self-management Users can register themselves, modify their profiles, reset their passwords, and revoke access on their own devices at any time without assistance from IT. + + No thick clients This is all accomplished without the need for any thick clients on the device. Assert Your Identity 6

Enabling Devices to Evolve A heuristics-based solution you control As we have seen, SecureAuth IdP device fingerprinting works by comparing a user s current device to the device s fingerprint stored in the directory. But of course, devices are constantly changing the operating system is updated, plug-ins are added or deleted, users change the screen resolution, and so on. In fact, more often than not, a device s specifications on subsequent authorization attempts will not be an exact match to the fingerprint on record. You don t want to cause high friction for the user by requiring two-factor authentication for minor changes, but you don t want to allow new devices to slip through unchallenged either. And you don t want to clutter up your directory by registering a new fingerprint whenever a device changes. Accordingly, whenever a user authenticates, the goal is to determine which of the following applies: 1) The device is mostly similar to a stored fingerprint and therefore should be accepted as is. 2) The device has undergone some minor updates and therefore the existing device fingerprint should be updated. 3) The device is new altogether and therefore a new registration is required. To accomplish this goal, SecureAuth IdP device fingerprinting uses a heuristicbased approach that you can customize to meet your unique needs and priorities. Setting the weight for each device characteristic Each device characteristic used in the device fingerprint is assigned a weight, which you can adjust to suit your environment as illustrated in Figure 3. Supported characteristics include: + + HTTP header information: User-Agent Accept Accept CharSet Accept Encoding Accept Language + + Browser plug-in list + + Browser flash fonts + + Device host address/ip + + Screen resolution + + HTML5 local storage + + HTML5 session storage + + IE user data support + + Browser cookie enable/disable setting + + Time zone Assert Your Identity 7

Because SecureAuth IdP is a multi-tenant solution, you can adjust these settings for each protected resource. Figure 3: You can specify how much weight to assign to each device characteristic. Evaluating whether it is the same device SecureAuth IdP device fingerprinting uses these weights to help determine whether a device matches a device already registered to that user. Specifically, upon the device registration, SecureAuth IdP generates a numeric fingerprint for the device and stores it in the directory, associating it with the user. For subsequent authentications, SecureAuth IdP re-examines the device with the same algorithm, creates a new numeric fingerprint, and calculates how closely the new fingerprint matches the stored one. The matching percentage the Device Certainty Score (DCS) is a number between 0 and 100. A DCS of 100 means the device seeking authentication is identical to the fingerprint on record; a DCS of zero means it is completely different. Recall that the goal is to determine whether the device should be accepted as is, the existing device footprint should be updated, or the device should be registered as new. Breaking the DCS into these three groups requires you to set two values, as shown in Figure 4: + + Match score The lowest DCS value that can be accepted before a new fingerprint is computed + + Update score The lowest DCS value that can be accepted before the user is required to re-register Assert Your Identity 8

Using these two values and the DCS, SecureAuth IdP can determine how to proceed with an access attempt: Device Certainty Score (DCS) 100 DCS >= match score If the DCS is greater than or equal to the match score, the device is considered pre-registered and no additional authentication is required. Match Score Match score > DCS > update score If the DCS falls between the match score and the update score, then the device is considered likely to be pre-registered but with a few characteristics changed. SecureAuth IdP will conduct a second factor and then update the fingerprint for the user in the directory. Update Score 0 Update score > DCS If the DCS is below the update score, SecureAuth IdP considers the device to be new. After conducting a secure second factor, it will register the device for the user by creating a device fingerprint for the new device and storing it in the directory for the user. Figure 4: By specifying match and update scores you can customize the rigidity of the validation process, enabling devices to evolve without users having to re-register. By setting the match and update scores wisely, you can ensure that users enjoy a low-friction authentication experience most of the time, that device fingerprints are updated when appropriate, and that new fingerprints are added only when necessary. Example For example, suppose a user registers his Windows 7 desktop, but before he returns, the system goes through a major upgrade, including browser plug-ins and system modifications. Upon his next usage, SecureAuth IdP would recognize that the device is the same, but the fingerprinting would reflect the variation. To be secure, the user would be required to re-authenticate, but rather than registering a new device, SecureAuth IdP would update the existing device fingerprint. Just as administrators can set preferences for all individual users with SecureAuth IdP, adjustments can also be made per authentication workflow to establish distinct heuristic requirements for individual applications. Assert Your Identity 9

Secure Mobile Apps for Android and ios For enterprises that require higher than normal security for mobile device access, SecureAuth offers device-specific mobile applications for Android and ios devices that augment browser-based fingerprinting. These applications execute native commands on ios or Android clients in order to extract device-specific information. The Android app is able to extract the serial number from the mobile unit; the ios app pulls the UDID for versions 5.0 and earlier, and the Advertiser ID for later models. Both platforms also extract the friendly name, such as Android Nexus 7.4.2. Integrated into SecureAuth IdP for All Resources SecureAuth IdP device fingerprinting can be used for all enterprise resources, including: + + Enterprise web applications (SharePoint,.NET, J2EE, WebLogic) + + Network resources (Juniper, F5, Citrix) + + Cloud resources (Google, Microsoft, Salesforce, Taleo) + + Mobile applications (Android, ios, Windows) Conclusion With SecureAuth IdP s innovative device fingerprinting, your enterprise can now embrace BYOD and mobile business without sacrificing either security or ease of use. In fact, you can tailor the solution to meet your organization s requirements, determining when devices match a stored footprint closely enough to bypass further authentication and when they do not, so you can deliver a low-friction user experience while maintaining the security your organization requires. To learn more visit www.secureauth.com/idp. Assert Your Identity 10

8965 Research Drive Irvine, CA 92618 p: 1-949-777-6959 f: 1-949-743-5833 secureauth.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information