Users Always Getting Prompted for 2 Factor with Device Fingerprinting

Follow
    Applies to:
  • Legacy SecureAuth IdP
Deployment model:
  • On Premises
  • Affected SecureAuth IdP Versions: 9.0.2 and below

    Description: 
    Users who have valid fingerprints consistently get prompted for 2 factor.

    IdP versions 9.1 and above have a dramatically improved device recognition logic that more accurately detects browser fingerprints. You can always submit a ticket to support to get the upgrade process started.

    Cause:

    Device fingerprinting settings are not set properly.

    Resolution: 

    1. Go to the SecureAuth Admin Panel.

    2. Go to the Workflow tab.

    3. Scroll down to the bottom to find the Browser/Mobile Device Digital Fingerprinting section.

     

     

    Common Fixes:

    1. Host Address/IP is set too high. Drop from the default of 15% to 5% or 2.5%.

    -This is the most common issue. With the default 15%, it will always break the default Authentication Threshold (95%) and prompt for 2nd factor.

    2. Increase the User Agent weight from 15% to 20%.

    3. Increase weight of language, flash font, and time zone. These don't usually change so they are good weights to increase.

    -Language = 5% -> 7.5%

    -Flash Font = 15% -> 17.5%

    -Time Zone = 0% -> 2.5% or 5%


    4. Enable Cookies.

    5. Change Authentication Threshold (95%) and Update Threshold (85%) default values. I usually recommend 90% as a good balance.

    If you lower these settings, you are lowering your security as it will be more lenient for the 2nd factor bypass. Make sure you find the right balance between security and convenience!

     

    The following table will show the effect on the score. Note that if your authentication threshold is too high, some of these will cause 2 factor to trigger every time. This is especially true when it comes to Host Address/IP that tends to be over 10% of the weight.

     

    Element

    Example Change

    Default score

    Effect on score

    User-Agent: The user agent string (identification) of the user agent 

     

    New agent

    15

    The score will be pro-rated:

    OS name match: 30% (otherwise 0 overall)

    OS version match: 10%

    Browser name match: 30% (otherwise, 0 overall)

    Browser version match: 20%

    Other values match: 10%

    Accept: The Content-Types that are acceptable for the response

     

    One content type added

    3

    The score will be pro-rated. For example, if adding one more on top of 3 existing ones, it will be 3 / 4 = 0.75, so the final score will be 3 * 0.75 = 2.25

    Accept CharSet: The character sets that are acceptable

     

    One charset added

    2

    The score will be prorated. For example, if adding one more on top of 3 existing ones, it will be 3 / 4 = 0.75, so the final score will be 3 * 0.75 = 2.25

    Accept Encoding: The list of acceptable encodings

     

    One encoding added

    5

    The score will be prorated. For example, if adding one more on top of 3 existing ones, it will be 3 / 4 = 0.75, so the final score will be 3 * 0.75 = 2.25

    Accept Language: The list of acceptable human languages for response

     

    One language added

    5

    The score will be prorated. For example, if adding one more on top of 3 existing ones, it will be 3 / 4 = 0.75, so the final score will be 3 * 0.75 = 2.25

    Weight for plugin list: The list of plugins on the user’s browser

     

    One plugin added

    20

    The score will be prorated. For example, if adding one more on top of 3 existing ones, it will be 3 / 4 = 0.75, so the final score will be 3 * 0.75 = 2.25

    Weight for flash font: The fonts inside of a flash application

     

    Add one more font

    15

    The score will be prorated. For example, if adding one more on top of 3 existing ones, it will be 3 / 4 = 0.75, so the final score will be 3 * 0.75 = 2.25

    Hostaddress/IP: The Host address or IP address

     

     

    15

    Note: “Exact match”. It can be set as requiring exact match or not. If require exact match is set, when the IP is different, even all other components are the same, IdP will still prompt 2FA

    Timezone: The time zone of the user’s browser

    Screen Resolution: The screen resolution of the device / browser

     

    Change zone

    0

    5


     Exact match: 5 if match, 0 if does not match

    HTML5 localstorage: The HTML5 local storage

     

    Supports Lstorage

    5

    Exact match: 5 if match, 0 if does not match

    HTML5 sessionstorage: The HTML5 session storage

     

    Supports Sstorage

    5

    Exact match: 5 if match, 0 if does not match

    IE userdata support: The Internet Explorer (IE) user data support

     

    Supports userdata

    2.5

    Exact match: 2.5 if match, 0 if does not match

    Cookie enabled/disabled: Based on the user’s settings, whether cookies are enabled or disabled

     

    Cookies enabled

    2.5

    Exact match: 2.5 if match, 0 if does not match

    0 out of 0 found this helpful

    Comments

    0 comments

    Please sign in to leave a comment.