Knowledge Base

Support Policies

Users Always Getting Prompted for 2 Factor with Device Fingerprinting

Affected SecureAuth IdP Versions: All

Description: 
Users who have valid fingerprints consistently get prompted for 2 factor.

Cause:

Device fingerprinting settings are not set properly.

Resolution: 

1. Go to the SecureAuth Admin Panel.

2. Go to the Workflow tab.

3. Scroll down to the bottom to find the Browser/Mobile Device Digital Fingerprinting section.

 

 

Common Fixes:

1. Host Address/IP is set too high. Drop from the default of 15% to 5% or 2.5%.

-This is the most common issue. With the default 15%, it will always break the default Authentication Threshold (95%) and prompt for 2nd factor.

2. Increase the User Agent weight from 15% to 20%.

3. Increase weight of language, flash font, and time zone. These don't usually change so they are good weights to increase.

-Language = 5% -> 7.5%

-Flash Font = 15% -> 17.5%

-Time Zone = 0% -> 2.5% or 5%


4. Enable Cookies.

5. Change Authentication Threshold (95%) and Update Threshold (85%) default values. I usually recommend 90% as a good balance.

If you lower these settings, you are lowering your security as it will be more lenient for the 2nd factor bypass. Make sure you find the right balance between security and convenience!

 

The following table will show the effect on the score. Note that if your authentication threshold is too high, some of these will cause 2 factor to trigger every time. This is especially true when it comes to Host Address/IP that tends to be over 10% of the weight.

 

Element

Example Change

Default score

Effect on score

User-Agent: The user agent string (identification) of the user agent 

 

New agent

15

The score will be pro-rated:

OS name match: 30% (otherwise 0 overall)

OS version match: 10%

Browser name match: 30% (otherwise, 0 overall)

Browser version match: 20%

Other values match: 10%

Accept: The Content-Types that are acceptable for the response

 

One content type added

3

The score will be pro-rated. For example, if adding one more on top of 3 existing ones, it will be 3 / 4 = 0.75, so the final score will be 3 * 0.75 = 2.25

Accept CharSet: The character sets that are acceptable

 

One charset added

2

The score will be prorated. For example, if adding one more on top of 3 existing ones, it will be 3 / 4 = 0.75, so the final score will be 3 * 0.75 = 2.25

Accept Encoding: The list of acceptable encodings

 

One encoding added

5

The score will be prorated. For example, if adding one more on top of 3 existing ones, it will be 3 / 4 = 0.75, so the final score will be 3 * 0.75 = 2.25

Accept Language: The list of acceptable human languages for response

 

One language added

5

The score will be prorated. For example, if adding one more on top of 3 existing ones, it will be 3 / 4 = 0.75, so the final score will be 3 * 0.75 = 2.25

Weight for plugin list: The list of plugins on the user’s browser

 

One plugin added

20

The score will be prorated. For example, if adding one more on top of 3 existing ones, it will be 3 / 4 = 0.75, so the final score will be 3 * 0.75 = 2.25

Weight for flash font: The fonts inside of a flash application

 

Add one more font

15

The score will be prorated. For example, if adding one more on top of 3 existing ones, it will be 3 / 4 = 0.75, so the final score will be 3 * 0.75 = 2.25

Hostaddress/IP: The Host address or IP address

 

 

15

Note: “Exact match”. It can be set as requiring exact match or not. If require exact match is set, when the IP is different, even all other components are the same, IdP will still prompt 2FA

Timezone: The time zone of the user’s browser

Screen Resolution: The screen resolution of the device / browser

 

Change zone

0

5


 Exact match: 5 if match, 0 if does not match

HTML5 localstorage: The HTML5 local storage

 

Supports Lstorage

5

Exact match: 5 if match, 0 if does not match

HTML5 sessionstorage: The HTML5 session storage

 

Supports Sstorage

5

Exact match: 5 if match, 0 if does not match

IE userdata support: The Internet Explorer (IE) user data support

 

Supports userdata

2.5

Exact match: 2.5 if match, 0 if does not match

Cookie enabled/disabled: Based on the user’s settings, whether cookies are enabled or disabled

 

Cookies enabled

2.5

Exact match: 2.5 if match, 0 if does not match

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.