Achieve Low-Friction BYOD Authentication with Device Fingerprinting
The explosion of devices — laptops, desktops and now the plethora of mobile devices — has left enterprises scrambling to control access to their resources. They know that simple username and password combinations are too easily compromised to sufficiently protect enterprise information, but they are concerned about the inconvenience that adding additional factors of authentication can introduce.
Device fingerprinting delivers the flexibility, security, and convenience you need, enabling you to increase layers of authentication without creating high friction for users. In fact, in many instances, device Fingerprinting actually improves the user experience.
Device fingerprinting enables secure and convenient access to all resources, from any device, mobile or desktop, using heuristics. To accomplish this it registers the unique characteristics of a user’s mobile device (variations of HTTP headers, IP addresses, browser fonts, browser plug-ins, user data storage, and time zone), and uses that fingerprint to streamline subsequent authentication requests.
Typically device fingerprinting conducts a one-time registration process for each user/device combination, pulling the unique characteristics from the device and storing them in the enterprise directory. That data is then used to streamline subsequent access requests offering an ongoing additional factor of authentication that is essentially transparent to the user, delivering stronger access control without the hit to productivity and user experience.
With device fingerprinting, users can work on multiple devices and multiple users can work on a single device — all without high-impact authentication processes:
- One user, multiple devices — You can configure your profiles to allow users to register multiple devices, ensuring they enjoy a dramatically simplified login and access process no matter which registered device they use.
- One device, multiple users — Device fingerprinting can typically also handle shared machines. When the device authentication is registered with the enterprise, it is linked to one specific user’s profile, and that user is able to work on the device without re-authenticating. When a new user attempts access from the same device, the solution recognizes that the device has not been registered to this new user and will require authentication before granting access. Then it will store the device under the new user’s profile, without eliminating or altering the previous user’s registration.You can also issue users a time-limited registration, forcing them to re-register after a pre-defined time period that aligns to your security posture.
Device fingerprinting also enables easy, granular revocation of access. You can revoke a specific device for a specific user simply by searching the directory for the device and removing it from the list. This quick and easy revocation makes it simple to maintain security if a device is compromised or a user leaves the company.
Device fingerprinting solutions can also enable user self-management, including password reset and profile registration and modification. Users can revoke their access on their own devices at any time, without IT assistance and without requiring any thick clients on the device.
Updating the Device Fingerprint
Of course, devices change over time — operating systems are upgraded, new browser plug-ins are added, users change to a different screen resolution. If your solution leverages a heuristic-based approach for identifying devices, it can ensure that a device’s fingerprint can be updated without requiring the user to re-authenticate.
You choose how closely a device must match its registered fingerprint:
If the device looks mostly similar to the stored fingerprint, accept the device fingerprint as is.
If the device has undergone some minor updates or upgrades, rather than considering it to be a new device, challenge the user with a second authentication factor and then update the device fingerprint.
If the device is sufficiently different from any device registered to the user, require a new registration.
And your solution should be flexible enough to enable you to make adjustments per authentication workflow realm to establish distinct heuristic requirements for individual applications.
Protection for All Enterprise Resources
Device fingerprinting can be used for all enterprise resources, including:
• Enterprise web applications (SharePoint, .NET, J2EE, WebLogic)
• Network resources including VPNs (Juniper, F5, Citrix)
• Cloud resources (Google, Microsoft, Salesforce, Taleo)
• Mobile applications (Android, iOS, Windows)
Try Device Fingerprinting Today
Want to see it in action? SecureAuth IdP offers device fingerprinting that enables your organization to adopt the BYOD policies your business requires without sacrificing security or complicating the authentication process. Request a demo to find out more.