search cancel

Identifying the user's device in Risk Authentication


Article ID: 198194


Updated On:


CA Advanced Authentication - Strong Authentication (AuthMinder / WebFort) CA Strong Authentication CA Rapid App Security CA Risk Authentication CA Advanced Authentication


Risk Authentication is been used at User's Internet Banking login and would like to show Device Registration option after certain (like 15 logins from last 30 days) logins from the same device for the user.

To get that custom rule has been created, which will check on three parameters like IP-Address, OS name and Browser name. , but due to inconsistency in "IP-Address", we have changed to pass "Device-ID" value in place of "IP-Address", but with that also, identifying the user's device has become challenging as "Device-ID" can be deleted if user deletes the browser cache. 

How identify the user's device so that after certain no. of logins from the same device, user will be allowed to register the device (private or public).


Release : 9.x

Component : RiskMinder(Arcot RiskFort)

Risk Authentication


Case 1) When deleting cookies in the browser, it is recognized as a different device. 

Yes, it is a default behavior in Advanced Authentication. To solve this issue, enable "Enable Reverse Lookup for Device Identification". 

After enabling this one, the customer can validate from Advanced Authentication Risk Evaluation Sample site. 

Step 1) Let's say that I have a Device ID registered in the Advanced Authentication as below.

Step 2) Deleted the cookie in the browser. 

Step 3) Access Advanced Authentication Sample code site without cookie

Step4) Without Device ID, it is recognized with a reverse lookup.


Case 2) When a user accesses from the different browser, it is recognized with a different device.

Yes, it is an expected behavior because Advanced Authentication reads browser and browser plug-in information with a java script.

Several years ago, Advanced Authentication used a Java applet or Active X to read system information, but it is not allowed from the browser anymore.

Hence, it is recognized as a different device when a user accesses from a different browser.