Consent-based device registration

Consent-based device registration is the process of registering the device fingerprint only after the user consents to the device registration. A typical scenario that requires consent-based device registration is when a user attempts to access a protected resource from a public access environment. For example, a user might log in from an internet café or airport kiosk. After the user logs in and successfully responds to the secondary challenge, a consent form is presented. The consent form can be an HTML page where users can specify they consent to the device registration.

• If the user consents to the registration of the device, the device is registered and access is permitted. The next time the user logs in from the same device, the consent form is not presented because the device is already registered.

• If the user does not consent to the registration of the device, the device is not registered and the access is permitted. If the user logs in from the same device again, the secondary challenge and the consent form are presented again. The process is repeated because the risk score is high when a user logs in from a device that is not registered.

When a user consents to registration of the device, two attributes are automatically set. We can use these attributes when creating policy:

userConsent

Set the boolean value to true. The user has consented to device registration

authenticationLevel

Numeric value that specifies the authentication level of a user. It increases as the levels of authentication that belong to the user increase. For example: A possible authentication level is 2

When a user is granted access, the authentication level is set by the policy enforcement point. This is the default behavior. Optionally, we can control the authentication level for the user, by setting advanced configuration properties.

Advanced Access Control provides a template page that we can use for the HTML page to display in order to obtain user consent.

• Context-based access policy sample settings to support consent-based device registration
  Consent-based device registration is typically enabled and supported by combining the “Consent Register Device” authentication policy and the “Register Device” obligation within a CBA policy.
• Set the authentication level for consent-based device registration
  We can specify the authentication level to grant to a user who consents to device registration.
• Modify consent template pages
  Use the local management interface to manage files and directories in the template files.

Parent topic: Device fingerprints