A Security Handler Plug-in enhances security by consulting additional logic for trust and risk analysis.
Such additional logic may deny access based on certain risky operations. Mobile authentication invokes the Security Handler Plug-in during sensitive security operations; for example, during virtually all token acquisition operations including client application registration.
Note:
Security Plug-in usage is optional. If used, it should only be applied to mobile-related Service Domains and its authentication services and client applications.
Mobile and Social includes the following pre-configured Security Handler Plug-ins.
OAAMSecurityHandlerPlugin
enables sophisticated device and client application registration logic as well as the advanced risk and fraud analysis logic found in OAAM.
Default
offers very limited risk analysis logic.
The following topics include information about defining Security Handler Plug-ins:
You can create a security handler plug-in from the Mobile and Social Services configuration page.
To create:
You can edit or delete a Security Handler Plug-in.
Select the definition in the panel and click Edit or Delete on the panel's tool bar.
When a mobile application is started, Mobile Client SDK logic in the application will attempt to detect a number of Device Profile attributes. A particular combination of Device Profile attribute values is treated as a device finger print.
Some Device Profile attributes are general attributes that cannot uniquely identify a device, such as OS Type, OS Version, language locale setting, network setting, and geographic location. Some attributes are hardware identifiers that can uniquely identify a device. An example of a hardware identifier is a MAC Address on a mobile device. The mobile OS type and version will dictate the kinds of Device Profile attributes that can be detected.
When a mobile application requests a token through the Mobile Client SDK, the SDK logic will send the Device Profile attributes as a part of an HTTP request. This set of Device Profile attributes enhances security by creating an audit trail for devices that assists device identification.
When the OAAM Security Plug-in is used, a particular combination of Device Profile attribute values is treated as a device finger print, known as the Digital Finger Print in the OAAM Administration Console. Each finger print is assigned a unique fingerprint number. Each OAAM session is associated with a finger print and the finger print makes it possible to log (and audit) the devices that are performing authentication and token acquisition.