Attribute matchers

An attribute matcher compares the values of a specified attribute in the incoming device fingerprint with the existing device fingerprint of the user. Context-based access uses the information that is returned by the attribute matchers to calculate the risk score.

In some scenarios, multiple attributes or a set of composite attributes must be matched. For example, longitude, latitude, and accuracy are three attributes related to location. In a given scenario, two device fingerprints are considered a match if the distance between two location points is not greater than a specified threshold value. In this scenario, the comparison of only the longitude attribute does not provide accurate results. The matcher must do a more complex comparison or composite matching, where it matches multiple attributes from both fingerprints. The matcher returns one of the following results after it compares the attributes values in the registered device fingerprint and the incoming device fingerprint:

A mismatch increases the risk score based on the assigned weight of the attributes. The matcher might not be used in the risk calculation in the following situations:

Risk-based access provides ready-to-use attribute matchers that compare composite attributes or analyze a range of attribute values. We can configure one or more of the attribute matchers that are described in the following sections.

Exact match matcher

The exact_match matcher checks Whether the values of an attribute in a registered device and an incoming request exactly equal each other. Use this matcher if the more specialized matchers are not appropriate for the attribute.

IP address matcher

The IP address matcher (ipaddr_matcher) compares the IP address of a request with:

The IP address matcher has the following properties:

The IP address matcher returns one of the following decisions after it compares the incoming IP address with the IP address that belongs to the registered device:

PIP matcher

The policy information point (PIP) matcher (pip_matcher) uses the value of a single-valued attribute to determine one of the following results:

The PIP matcher supports only single-valued attributes with String data types. Write and configure a JavaScript PIP with the following capabilities if you prefer to use the PIP matcher:

Location matcher

The location matcher (location_matcher) checks Whether the location of a device is within a specific distance from the previous known locations of the device. Configure the location matcher properties to specify the accuracy range and how to compare the location information.Limitation: The retrieval of location attributes depends on the web browser and the settings the user specifies in the web browser. The web browser must support the Geolocation API. An error might occur in some web browsers if a user tries to access a protected resource from a device with a wired internet connection.

The location-based analysis processes all three location attributes (longitude, latitude, and accuracy) collectively when it determines the match for the location. Though weights are assigned to all three attributes, the weight for only the longitude attribute is considered. The weights assigned to the supporting latitude and accuracy attributes are ignored. The location matcher has two properties:

Login time matcher

The login time matcher (login_time_matcher) compares and analyzes the historical login time data of the user with the current login time of the user. We must configure the attributes and properties required for login time analysis. The login time matcher primarily detects the logins per session. The first of the several access times that are captured within the session is considered the login time of the user. The result of the analysis determines the probability of a fraudulent user.The login time matcher has one property:

Parent topic: Advanced Access Control administration

Related concepts

Related tasks