1. Administering Oracle Advanced Authentication and Oracle Adaptive Risk Management
  2. Managing Oracle Adaptive Risk Management
  3. Device Fingerprinting and Identification

17 Device Fingerprinting and Identification

Device fingerprinting/identification is one of the many attributes OARM uses to assess the risk of an access request or transaction.

Whether it is a desktop computer, laptop computer, mobile device, or other web-enabled device, OARM can use any combination of standard attributes, such as browser user agent string data, proprietary secure cookies, and advanced Autolearning device identification logic, to identify a device. This chapter covers the important fingerprinting and identification, concepts, and technology customers need to understand when deploying OARM.

Note:

Positive device identification is not and should not be considered an authentication method, nor the sole determining factor of an allow or block decision. OAA and OARM provides a full, layered security solution. Device fingerprinting and identification represents only one of the layers.

Topics

17.1 Overview of Device Fingerprinting

OARM device fingerprinting is a capability used to recognize the devices a user uses to login and conduct transactions. It collects information about the device like browser type, browser headers, operating system type, locale, and so on. Fingerprint data represents the data collected for a device during the login process, which is required to identify the device whenever it logs in the next time. The fingerprint details help in identifying whether a device is secure and determine the risk level of the authentication or transaction.

A device is identified using proprietary logic and a set of specialized policies to process available data and arrive at identification. The intelligent identification does not rely on any single attribute type so it can function on user devices not following strict specifications and in both web and non-web channels. The device identification is not merely a static list of attributes but is instead a dynamic capture, evaluation and profiling of the specific combinations of attributes available in each access request or transaction. This is especially important in large consumer facing deployments.

This section includes the following topics:

17.1.1 Fingerprinting Types

As standard, OARM supports browser and JavaScript fingerprints. The fingerprinting functions the same for desktop/laptop PCs and mobile devices and smart phones that run full-function browsers.

Web Browser-Based Fingerprinting

By design OARM provides web browser based fingerprinting in a pure web environment. In other words, no client software is required, which makes deployment of the solution to large and diverse user populations manageable. Also, OARM does not place any logic on the client side where it may be vulnerable to exploit.

When an end user is accessing a protected application via a web browser, OARM performs browser based fingerprinting. Browser based fingerprinting and identification uses browser user-agent string data and secure cookie data if available.

JavaScript Fingerprinting

OARM provides fingerprinting with JavaScript.

17.1.2 What Makes Up a Device Fingerprint?

The overall fingerprinting of a user device is based on multiple factors which is explained in this section.

OARM's fingerprinting technology does not solely rely on one element. OARM uses dozens of attributes to recognize and fingerprint the device typically used to login, providing greater coverage. For example, where certain elements are unavailable, the system can still provide robust security utilizing other objects, such as secure cookie or HTTP headers.

Secure Cookie and Browser Characteristics

Secure cookies are one of the attributes used to identify the device. OARM generates a unique Secure Cookie for each identification and looks for the same cookie the next time any user logs in from the device. The cookie is only valid for that session on that particular device. If the end user logs out and logs back in, that cookie is used to identify the device at that point.

Note:

If there is a policy that does not allow cookies, the secure cookie will not persist.

The Secure Cookie is extracted from the HTTP request. Along with the secure cookie, OARM also extracts browser characteristics.

For additional characteristics that are used to create a unique fingerprint for the device, refer to the browser fingerprint enum and table below:
OS/Browser Characteristics
Operating System
  • Operating System
  • Version
  • Patch level
Browser
  • Browser
  • Version
  • Patch level
Locale
  • Country
  • Language
  • Variant
The browser fingerprint type enum is shown below to illustrate the information to be collected for a browser fingerprint:
#Enum for fingerprint type
vcrypt.fingerprint.type.enum=Enum for fingerprint type
vcrypt.fingerprint.type.enum.browser=1
vcrypt.fingerprint.type.enum.browser.name=Browser
vcrypt.fingerprint.type.enum.browser.description=Browser
vcrypt.fingerprint.type.enum.browser.userAgent=userAgent
vcrypt.fingerprint.type.enum.browser.locallang=localLang
vcrypt.fingerprint.type.enum.browser.localcountry=localCountry
vcrypt.fingerprint.type.enum.browser.localvariant=localVariant
vcrypt.fingerprint.type.enum.browser.header_list=locallang,localcountry,localvariant,userAgent
vcrypt.fingerprint.type.enum.browser.search_list=locallang,userAgent
vcrypt.fingerprint.type.enum.browser.result_list=locallang,userAgent
vcrypt.fingerprint.type.enum.browser.header_value_nv=t,true,f,false,en,English,es,Spanish,de,German,it,Italian,ja,Japanese,fr,French,ko,Korean,zh,Chinese,ar,Arabic,cs,Czech,da,Danish,nl,Dutch,fi,Finnish,el,Greek,iw,Hebrew,hu,Hungarian,no,Norwegian,pl,Polish,pt,Portuguese,ro,Romanian,ru,Russian,sk,Slovak,sv,Swedish,th,Thai,tr,Turkish,BR,Brazil

JavaScript and Device Characteristics

OARM also provides fingerprinting with JavaScript.

The JavaScript fingerprint type enum is shown below to illustrate the information to be collected for a JavaScript fingerprint:

vcrypt.fingerprint.type.enum.javascript.header_list=acn,gl,amv,l,ce,an,av,p,ua,o,je,te,w,h,cd,aw,ah,tzo,mt,pl,osc,prod,prods,bid,pd,cc,dnt
vcrypt.fingerprint.type.enum.javascript.cc=CPU class
vcrypt.fingerprint.type.enum.javascript.cd=Color depth
vcrypt.fingerprint.type.enum.javascript.dnt=Do not track
vcrypt.fingerprint.type.enum.javascript.ce=Cookies enabled
vcrypt.fingerprint.type.enum.javascript.tzo=Timezone offset
vcrypt.fingerprint.type.enum.javascript.result_list=acn,l,ua
vcrypt.fingerprint.type.enum.javascript.is_device_fingerprint=true
vcrypt.fingerprint.type.enum.javascript.gl=Location
vcrypt.fingerprint.type.enum.javascript.mt=Mime types
vcrypt.fingerprint.type.enum.javascript.ah=Available height
vcrypt.fingerprint.type.enum.javascript.prods=Sub Product
vcrypt.fingerprint.type.enum.javascript.header_name_nv=acn,App code name,gl,Location,amv,App minor version,l,Language,ce,Cookies enabled,an,App name,av,App version,p,Platform,ua,User agent,o,Online,je,Java enabled,te,Taint enabled,w,Width,h,Height,cd,Color depth,aw,Available width,ah,Available height,tzo,Timezone offset,mt,Mime types,pl,Plugins,osc,OS CPU,prod,Product,prods,Sub product,bid,Build ID,pd,Pixel depth,cc,CPU class,dnt,Do not track
vcrypt.fingerprint.type.enum.javascript.an=App name
vcrypt.fingerprint.type.enum.javascript.name=Javascript
vcrypt.fingerprint.type.enum.javascript.prod=Product
vcrypt.fingerprint.type.enum.javascript.te=Taint enabled
vcrypt.fingerprint.type.enum.javascript.description=Javascript
vcrypt.fingerprint.type.enum.javascript.pd=Pixel depth
vcrypt.fingerprint.type.enum.javascript.osc=OS CPU
vcrypt.fingerprint.type.enum.javascript.search_list=acn,l,ua
vcrypt.fingerprint.type.enum.javascript.av=App version
vcrypt.fingerprint.type.enum.javascript.header_value_nv=t,true,f,false,en,English,es,Spanish,de,German,it,Italian,ja,Japanese,fr,French,ko,Korean,zh,Chinese,ar,Arabic,cs,Czech,da,Danish,nl,Dutch,fi,Finnish,el,Greek,iw,Hebrew,hu,Hungarian,no,Norwegian,pl,Polish,pt,Portuguese,ro,Romanian,ru,Russian,sk,Slovak,sv,Swedish,th,Thai,tr,Turkish,BR,Brazil,CA,Canada
vcrypt.fingerprint.type.enum.javascript.aw=Available width
vcrypt.fingerprint.type.enum.javascript.bid=Build ID
vcrypt.fingerprint.type.enum.javascript.je=Java enabled
vcrypt.fingerprint.type.enum.javascript.pl=Plugins
vcrypt.fingerprint.type.enum.javascript=4
vcrypt.fingerprint.type.enum.javascript.processor=oracle.security.uas.core.uio.processor.device.JSDeviceIdentificationProcessor
vcrypt.fingerprint.type.enum.javascript.amv=App minor version
vcrypt.fingerprint.type.enum.javascript.acn=App code name
vcrypt.fingerprint.type.enum.javascript.p=Platform
vcrypt.fingerprint.type.enum.javascript.ua=User agent
vcrypt.fingerprint.type.enum.javascript.w=Width
vcrypt.fingerprint.type.enum.javascript.h=Height
vcrypt.fingerprint.type.enum.javascript.l=Language
vcrypt.fingerprint.type.enum.javascript.o=Online`