Workaround for digital fingerprint hotfix
This topic details the workaround for a specific use case relating to a hotfix for a digital fingerprint (DFP) issue.
Applies to
Hotfix update and workaround applies to the following product releases:
Identity Platform release 22.02
Identity Platform release 21.04, up to Hotfix 8
Identity Platform release 20.06, up to Hotfix 13
Identity Platform release 19.07.01, up to Hotfix 34
AND you have a specific configuration as described in the Solution and workaround section, below.
Background
Each web browser has a unique digital fingerprint. During the login workflow (in private mode), the Identity Platform collects or reads the digital fingerprint for each user like the ones shown on the Account Management page.
If there is no DFP for the user, the Identity Platform sends the user to a two-factor authentication page and collects the digital fingerprint. Then, the next time the user logs in, they could skip two-factor.
Otherwise, if there is an existing digital fingerprint for the user, they could skip two-factor in the login workflow.
Issue
There was an issue with the user agent string picking up identical digital fingerprint settings in Google Chrome and Microsoft Edge.
Symptom
Before the hotfix, a user could log in separately in Chrome and Edge browsers and they provided two-factor. Then, when they switched browsers, it sent the user to the two-factor authentication page, instead of skipping two-factor.
This was because two different user agent strings recorded the same browser information. It only honored one DFP setting for Chrome or Edge.
Solution and workaround
The hotfix addresses the issue described above, but it could still occur for a specific configuration in the SecureAuth® Identity Platform.
As a solution and workaround, use the following hotfixes applicable for your product release:
Identity Platform release 22.02, apply Hotfix 2
Identity Platform release 21.04, apply Hotfix 9
Identity Platform release 20.06, apply Hotfix 14
Identity Platform release 19.07.01, apply Hotfix 35
The hotfix and workaround applies if you have this specific configuration in Advanced Settings (formerly Classic Experience) -- on the Workflow tab, in the Browser / Mobile Profiles section, the Match FP Id in cookie set to Yes.
If you have this configuration, you can use any of the following workarounds after you apply the hotfix.
Option 1. After you apply the hotfix, remove the DFP cookie by clearing your browser cookies.
Option 2. After you apply the hotfix, set the Cookie length field to a shorter time and let the cookie expire. Then, digital fingerprint will work correctly and you can update the cookie length.