A device fingerprint consists of a number of parameters. The following table lists supported parameters:
|
Parameter |
Description |
|---|---|
|
Request Header Set |
Fetches Accept, Accept-Charset, Accept-Encoding, and Accept- Language from the request headers of the incoming request. |
|
User DN |
Fetches the distinguished name of a user in the user store. This parameter is not applicable for pre-authentication risk analysis. |
|
Hardware Parameters |
Fetches the following details about the user’s device:
|
|
Language Set |
Fetches language preferences of the user's device. |
|
Operating System |
Fetches name and version of the operating system on the user’s device. |
|
Screen Resolution |
Fetches width and height of the user's browser and screen. |
|
Time Zone Offset |
Fetches time zone of the user's device. |
|
User Agent |
Fetches the following details about the browser on the user’s device:
|
|
Selecting the following parameters might impact performance: |
|
|
HTML5 Capabilities |
Fetches the information about HTML 5 capabilities that are supported by the browser. |
|
System Fonts |
Fetches the information about fonts supported and unsupported by the user's browser. |
|
WebGL Metadata |
Fetches information about the Graphics Processing Unit (GPU), the identity of the browser, Web Graphics Library (WebGL) properties, and characteristics supported by the browser. WebGL is a JavaScript API for rendering interactive 3D computer graphics and 2D graphics within any compatible web browser without using plug-ins. |
You can configure the match criteria either for an individual parameter or for a group of parameters. An individual parameter must match exactly with the stored value. You should configure a parameter for individual validation if it must be part of the login request and its value does not change frequently.
Consider configuring a parameter to be evaluated as a group if it is less important and the parameter value may change frequently. For example, version of a browser. For a group of parameters, you can specify a value in percentage. To meet the rule condition, the specified percentage of the parameters in the group must match with the stored value.
Selecting parameters for a group evaluation and specifying the match criteria to 100% gives similar result as the individual parameters evaluation. However, this configuration is not recommended, as it results in additional back-end percentage calculations. Instead, add the parameters in the individual list based on requirements.
If the parameters do not match as specified, you can configure Access Manager Appliance to prompt for additional authentication.For example, you have selected Screen Resolution, User DN, User Agent, Language Set, TimeZone Offset, and Operating System parameters in the rule. You have configured the following match conditions:
Screen resolution: Evaluate Individually
Language Set, User DN, User Agent, TimeZone Offset, and Operating System Parameters: Evaluate as a Group
Parameter Set Match: 80%
When the user logs in the first time, Access Manager Appliance prompts for additional authentication. After the successful first authentication, Access Manager Appliance calculates the fingerprint for that user and saves it for later usage. When the user logs in the next time, Access Manager Appliance calculates the device fingerprint of the device the user has used in this login attempt and compares it with the stored fingerprint. To meet the rule condition, screen resolution and at least any four parameters out of Language Set, User DN, User Agent, TimeZone Offset, and Operating System Parameters must match.