Affected SecureAuth IdP Versions: 9.0.2 and below
Description:
Users who have valid fingerprints consistently get prompted for 2 factor.
IdP versions 9.1 and above have a dramatically improved device recognition logic that more accurately detects browser fingerprints. You can always submit a ticket to support to get the upgrade process started.
Cause:
Device fingerprinting settings are not set properly.
Resolution:
1. Go to the SecureAuth Admin Panel.
2. Go to the Workflow tab.
3. Scroll down to the bottom to find the Browser/Mobile Device Digital Fingerprinting section.
Common Fixes:
1. Host Address/IP is set too high. Drop from the default of 15% to 5% or 2.5%.
-This is the most common issue. With the default 15%, it will always break the default Authentication Threshold (95%) and prompt for 2nd factor.
2. Increase the User Agent weight from 15% to 20%.
3. Increase weight of language, flash font, and time zone. These don't usually change so they are good weights to increase.
-Language = 5% -> 7.5%
-Flash Font = 15% -> 17.5%
-Time Zone = 0% -> 2.5% or 5%
4. Enable Cookies.
5. Change Authentication Threshold (95%) and Update Threshold (85%) default values. I usually recommend 90% as a good balance.
If you lower these settings, you are lowering your security as it will be more lenient for the 2nd factor bypass. Make sure you find the right balance between security and convenience!
The following table will show the effect on the score. Note that if your authentication threshold is too high, some of these will cause 2 factor to trigger every time. This is especially true when it comes to Host Address/IP that tends to be over 10% of the weight.
Element |
Example Change |
Default score |
Effect on score |
User-Agent: The user agent string (identification) of the user agent
|
New agent |
15 |
The score will be pro-rated: OS name match: 30% (otherwise 0 overall) OS version match: 10% Browser name match: 30% (otherwise, 0 overall) Browser version match: 20% Other values match: 10% |
Accept: The Content-Types that are acceptable for the response
|
One content type added |
3 |
The score will be pro-rated. For example, if adding one more on top of 3 existing ones, it will be 3 / 4 = 0.75, so the final score will be 3 * 0.75 = 2.25 |
Accept CharSet: The character sets that are acceptable
|
One charset added |
2 |
The score will be prorated. For example, if adding one more on top of 3 existing ones, it will be 3 / 4 = 0.75, so the final score will be 3 * 0.75 = 2.25 |
Accept Encoding: The list of acceptable encodings
|
One encoding added |
5 |
The score will be prorated. For example, if adding one more on top of 3 existing ones, it will be 3 / 4 = 0.75, so the final score will be 3 * 0.75 = 2.25 |
Accept Language: The list of acceptable human languages for response
|
One language added |
5 |
The score will be prorated. For example, if adding one more on top of 3 existing ones, it will be 3 / 4 = 0.75, so the final score will be 3 * 0.75 = 2.25 |
Weight for plugin list: The list of plugins on the user’s browser
|
One plugin added |
20 |
The score will be prorated. For example, if adding one more on top of 3 existing ones, it will be 3 / 4 = 0.75, so the final score will be 3 * 0.75 = 2.25 |
Weight for flash font: The fonts inside of a flash application
|
Add one more font |
15 |
The score will be prorated. For example, if adding one more on top of 3 existing ones, it will be 3 / 4 = 0.75, so the final score will be 3 * 0.75 = 2.25 |
Hostaddress/IP: The Host address or IP address
|
|
15 |
Note: “Exact match”. It can be set as requiring exact match or not. If require exact match is set, when the IP is different, even all other components are the same, IdP will still prompt 2FA |
Timezone: The time zone of the user’s browser Screen Resolution: The screen resolution of the device / browser
|
Change zone |
0 |
Exact match: 5 if match, 0 if does not match |
HTML5 localstorage: The HTML5 local storage
|
Supports Lstorage |
5 |
Exact match: 5 if match, 0 if does not match |
HTML5 sessionstorage: The HTML5 session storage
|
Supports Sstorage |
5 |
Exact match: 5 if match, 0 if does not match |
IE userdata support: The Internet Explorer (IE) user data support
|
Supports userdata |
2.5 |
Exact match: 2.5 if match, 0 if does not match |
Cookie enabled/disabled: Based on the user’s settings, whether cookies are enabled or disabled
|
Cookies enabled |
2.5 |
Exact match: 2.5 if match, 0 if does not match |
Comments
Please sign in to leave a comment.