2.2.7. Hints For the Device Print Authentication Module

The Device Print module is a device fingerprinter. It collects information about client device locations, fonts, plugins, and more through their browsers. This module does not stand on its own, as it uses authentication information from a service to validate a username. The Device Print module then validates other characteristics of the user's system.

If no device print profile is stored for a user, then the user is prompted to fill in an HMAC One-Time Password (HOTP), sent by email or text. The user can then save that device print profile. On subsequent requests the user's device profile is recalled. Each of the device print attributes from the client are compared against each of the stored attributes. If the differences exceed a configured number of penalty points, the user is asked for another HOTP.

If you know the HOTP module, some of the attributes in this section may seem familiar. That is intentional, as the Device Print module includes all HOTP attributes, though not in the same order.

[Note] Note

The following example assumes that the Device Print module comes after LDAP authentication. Alternatively, you could set it up after another directory service module such as Active Directory, Data Store, RADIUS, or Windows NT.

Including the Device Print module in an authentication chain

[D]

A device fingerprint is based on the unique characteristics of a user like yourself and your associated device. You can configure the characteristics that should be part of the fingerprint. These characteristics can include:

  • User agents, associated with the configuration of a web browser.

  • Installed fonts.

  • The plugins installed for the web browser.

  • The resolution and color depth associated with a display

  • The timezone or even the geolocation of a device.

You can specify penalty points when characteristics of the fingerprint have changed. If the total penalty points exceeds some configured score, the user may be asked to verify their identity using HOTP.

The default value for each *-penalty-points attribute is 35, with a *-max-tolerated-penalty-points of 50. In other words, if more than one characteristic of the device fingerprint has changed, the module assumes that the user is trying to connect from a different system.

ssoadm service name: iPlanetAMAuthDevicePrintModuleService

Authentication Level

Sets the authentication level used to indicate the level of security associated with the module. The value can range from 0 to any positive integer.

ssoadm attribute: openam-auth-adaptive-auth-level

Profile expiration days

The list of device attributes is collected in a profile, which automatically expires in a given number of days. Default: 30.

ssoadm attribute: iplanet-am-auth-adaptive-device-print-profile-expiration-days

Maximum stored profile quantity

The number of device profiles may be limited by user. Default: 5.

ssoadm attribute: iplanet-am-auth-adaptive-device-print-maximum-profiles-stored-quantity

Automatically store new profiles

When enabled, new device profiles are automatically stored, once the HOTP is verified. Otherwise, the user is prompted for confirmation.

ssoadm attribute: iplanet-am-auth-adaptive-device-print-store-profiles-without-confirmation

Default user profile name

Every device requires a default profile name that represents the user.

ssoadm attribute: iplanet-am-auth-adaptive-device-print-default-profile-name

User agent penalty points

Specifies the number of penalty points added when there is a difference between the current and stored user agent. The module adds a fixed number of points if the web browser or related fields are changed. Version differences are ignored if the User-Agent version ignore attribute is active. Default: 35.

ssoadm attribute: iplanet-am-auth-adaptive-device-print-user-agent-penalty-points

Installed fonts penalty points

Frequently, when a user installs a new software component, additional fonts are installed. The Device Print module adds a fixed number of penalty points if there is a change in the installed fonts since the last login beyond some maximum tolerated level, and the Installed fonts required attribute is enabled. Default: 35.

ssoadm attribute: iplanet-am-auth-adaptive-device-print-installed-fonts-penalty-points

Installed plugins penalty points

Most devices have a number of plugins installed on their browsers, such as Java, Flash, and document readers. If the plugins feature is enabled, and there is a change beyond a maximum tolerated level, a fixed number of penalty points is added. Default: 35.

ssoadm attribute: iplanet-am-auth-adaptive-device-print-installed-plugins-penalty-points

Screen color depth penalty points

Most client devices are connected to a color monitor, or at least have settings related to such a device. If the Screen parameters feature is enabled, and a change in color depth is detected, a fixed number of penalty points is added. Default: 35.

ssoadm attribute: iplanet-am-auth-adaptive-device-print-screen-color-depth-penalty-points

Screen resolution penalty points

Differences in screen resolution sometimes indicate that the user has changed monitors, or perhaps is adjusting to changing eyesight. Whenever a different screen resolution is detected, a fixed number of penalty points is added. Default: 35.

ssoadm attribute: iplanet-am-auth-adaptive-device-print-screen-resolution-penalty-points

Timezone penalty points

Whenever a connection is made from a different timezone, the Device Print module normally adds a fixed number of penalty points. Organizations where most users travel may want to set this attribute to a lower value. Default: 35.

ssoadm attribute: iplanet-am-auth-adaptive-device-print-timezone-penalty-points

Allowed location range

If geolocation is enabled, each profile should include a geographic location. The allowed location range specifies a maximum distance, in miles. If a user has travelled beyond that distance, the Location penalty points is added to the total. Default: 100.

ssoadm attribute: iplanet-am-auth-adaptive-device-print-location-allowed-range

User-Agent version ignore

Upgrades change the version associated with a user agent. Unless this option is enabled, every change in the version of a browser or related fields is detected as a difference with the stored profile.

ssoadm attribute: iplanet-am-auth-adaptive-device-print-ignore-version-in-user-agent

Max number of tolerated different installed fonts

If the Installed fonts required attribute is enabled, a comparison is made in installed fonts between the existing and stored profiles.

ssoadm attribute: iplanet-am-auth-adaptive-device-print-max-tolerated-diffs-in-installed-fonts

Max tolerated percentage difference between installed fonts

If the Installed fonts required attribute is enabled, a comparison is made in installed fonts between the existing and stored profiles. Any differences in number of fonts is noted in percent.

ssoadm attribute: iplanet-am-auth-adaptive-device-print-max-tolerated-percentage-to-mark-as-different-installed-fonts

Max number of tolerated different installed plugins

If the Installed plugins required attribute is enabled, a comparison is made between the installed plugins defined in the existing and stored profiles.

ssoadm attribute: iplanet-am-auth-adaptive-device-print-max-tolerated-diffs-in-installed-plugins

Max tolerated percentage difference between installed plugins

If the Installed plugins required attribute is enabled, a comparison is made between the installed plugins defined in the existing and stored profiles. Any differences in number of plugins is noted in percent.

ssoadm attribute: iplanet-am-auth-adaptive-device-print-max-tolerated-percentage-to-mark-as-different-plugins

User agent required

The user agent, as defined by RFC 4226 Section 14.43 provides information about the browser, and frequently on the operating system. Default: enabled.

ssoadm attribute: iplanet-am-auth-adaptive-device-print-user-agent-required

Installed plugins required

Plugins are components that add a specific feature to an existing application. In this context, examples of browser plugins are flash, java, and shockwave.

ssoadm attribute: iplanet-am-auth-adaptive-device-print-plugins-required

Installed fonts required

Fonts are frequently added to an operating system when new applications are installed. If enabled, installed font information is stored as part of the profile, and checked upon reconnection for comparison.

ssoadm attribute: iplanet-am-auth-adaptive-device-print-fonts-required

Geolocation required

The geographic location of a device can be tracked. Can be used to limit access from this device to a specified range.

ssoadm attribute: iplanet-am-auth-adaptive-device-print-geolocation-required

Screen parameters required

Display parameters can be used to help differentiate a profile. If enabled, the Device Print module uses screen color depth and resolution.

ssoadm attribute: iplanet-am-auth-adaptive-device-print-screen-params-required

Time zone required

The time zone of the current and stored profiles can be collected and compared.

ssoadm attribute: iplanet-am-auth-adaptive-device-print-timezone-required

Location penalty points

If geo-location has been enabled, and the current location does not match the value stored in the profile this many points are added as a penalty. Default: 35.

ssoadm attribute: iplanet-am-auth-adaptive-device-print-location-penalty-points

Maximum tolerated penalty points

A limit, in number of points, between the current and stored Device Print profiles. If the total is below that value, the Device Print module sees a match. Default: 50.

ssoadm attribute: iplanet-am-auth-adaptive-device-print-max-tolerated-penalty-points

SMS Gateway Implementation Class

Change this if you must customize the SMS gateway implementation. The default class sends an SMS or email, depending on the configuration.

ssoadm attribute: sunAMAuthHOTPSMSGatewayImplClassName

Mail Server Host Name

Host name of the mail server supporting Simple Message Transfer Protocol for electronic mail.

ssoadm attribute: sunAMAuthHOTPSMTPHostName

Mail Server Host Port

The default outgoing mail server port is 25, 465 (when connecting over SSL).

ssoadm attribute: sunAMAuthHOTPSMTPHostPort

Mail Server Authentication Username

User name for OpenAM to connect to the mail server.

ssoadm attribute: sunAMAuthHOTPSMTPUserName

Mail Server Authentication Password

Password for OpenAM to connect to the mail server.

ssoadm attribute: sunAMAuthHOTPSMTPUserPassword

Mail Server Secure Connection

If OpenAM connects to the mail server securely, OpenAM must be able to trust the server certificate.

ssoadm attribute: sunAMAuthHOTPSMTPSSLEnabled

Email From Address

The From: address when sending a one-time password by mail.

ssoadm attribute: sunAMAuthHOTPSMTPFromAddress

One Time Password Validity Length (in minutes)

One-time passwords are valid for 5 minutes after they are generated by default.

ssoadm attribute: sunAMAuthHOTPPasswordValidityDuration

One Time Password Length (in digits)

Set the length of the one-time password to 6 or 8 digits.

ssoadm attribute: sunAMAuthHOTPPasswordLength

One Time Password Delivery

Send the one-time password by SMS, by mail, or both.

ssoadm attribute: sunAMAuthHOTPasswordDelivery

Mobile Phone Number Attribute Names

Provides the attribute name used for the text message. The default value is telephoneNumber.

ssoadm attribute: openamTelephoneAttribute

Mobile Carrier Attribute Name

Provides the name of the carrier that will send the text message.

Every carrier has their own attribute name ending, for example Verizon uses @vtext.com or vtext.com. Contact your mobile carrier to find out what their attribute name is. If you will be sending international texts, ask your carrier if a country code is a required.

ssoadm attribute: openamSMSCarrierAttribute

Email Attribute Name

Provides the attribute name used to email the OTP. The default value is mail (email).

ssoadm attribute: openamEmailAttribute

Auto Send OTP Code

Setup the HOTP module to automatically generate an email or text message when users begin the login process.

ssoadm attribute: sunAMAuthHOTPAutoClicking