Workaround for digital fingerprint hotfix

This topic details the workaround for a specific use case relating to a hotfix for a digital fingerprint (DFP) issue.

Applies to

Hotfix update and workaround applies to the following product releases:

  • Identity Platform release 22.02

  • Identity Platform release 21.04, up to Hotfix 8

  • Identity Platform release 20.06, up to Hotfix 13

  • Identity Platform release 19.07.01, up to Hotfix 34

AND you have a specific configuration as described in the Solution and workaround section, below.

Background

Each web browser has a unique digital fingerprint. During the login workflow (in private mode), the Identity Platform collects or reads the digital fingerprint for each user like the ones shown on the Account Management page.

dfp_001.png

If there is no DFP for the user, the Identity Platform sends the user to a two-factor authentication page and collects the digital fingerprint. Then, the next time the user logs in, they could skip two-factor.

Otherwise, if there is an existing digital fingerprint for the user, they could skip two-factor in the login workflow.

Issue

There was an issue with the user agent string picking up identical digital fingerprint settings in Google Chrome and Microsoft Edge.

Symptom

Before the hotfix, a user could log in separately in Chrome and Edge browsers and they provided two-factor. Then, when they switched browsers, it sent the user to the two-factor authentication page, instead of skipping two-factor.

This was because two different user agent strings recorded the same browser information. It only honored one DFP setting for Chrome or Edge.

Solution and workaround

The hotfix addresses the issue described above, but it could still occur for a specific configuration in the SecureAuth® Identity Platform.

As a solution and workaround, use the following hotfixes applicable for your product release:

  • Identity Platform release 22.02, apply Hotfix 2

  • Identity Platform release 21.04, apply Hotfix 9

  • Identity Platform release 20.06, apply Hotfix 14

  • Identity Platform release 19.07.01, apply Hotfix 35

The hotfix and workaround applies if you have this specific configuration in the Classic Experience -- on the Workflow tab, in the Browser / Mobile Profiles section, the Match FP Id in cookie set to Yes.

dfp_002.png

If you have this configuration, you can use any of the following workarounds after you apply the hotfix.

  • Option 1. After you apply the hotfix, remove the DFP cookie by clearing your browser cookies.

  • Option 2. After you apply the hotfix, set the Cookie length field to a shorter time and let the cookie expire. Then, digital fingerprint will work correctly and you can update the cookie length.