User Agent change to User Agent Client hints and its impact on Risk Authentication component of Broadcom's product named Advanced Authentication.

Release : 9.x

Component: RiskMinder(Arcot RiskFort)

Google is introducing a privacy sandbox to help users get control of their privacy. The intent is to make it more difficult for websites to uniquely identify the device that a user is using, without the user providing explicit approval for the website to gather that information:

https://www.chromium.org/Home/chromium-privacy/privacy-sandbox

One of the proposed changes include, but is not limited to:

Returning a plain vanilla user agent string which exposes minimal identifying client information to a server.

Google is rolling this out as a series of projects and changes to Google Chrome. Additionally, Google is spearheading a push to create standards around this, which other browser clients can adopt. Other browser vendors, such as Mozilla, are looking at adopting some of these changes and standards. Currently, these strings (called User-Agent Client Hints) are incorporated into the Google Chrome and Microsoft Edge browsers. The Apple Safari and Mozilla Firefox browsers do not support User-Agent Client Hints currently, but may incorporate this standard sometime in the future. This is still an active area of development, change, and standardization and, as such, will change over time.

Chrome and Edge browsers will be deprecating the User-Agent and introducing the new User-Agent Client Hints. With the release of 9.1SP4 of Advanced Authentication, Risk Authentication component now supports User-Agent Client Hints in the Chrome and Edge browsers. The information in the User-Agent is primarily in the form of machine fingerprint(MFP) that is used for Risk Assessment. User-Agent Client Hints enable access to the same information as the User-Agent, but in a more privacy-preserving way. Also, clients often misreport User-Agent strings, making it less reliable.. The Risk Authentication DDNA JS Client is updated to consume the new User-Agent Client Hints to fetch the browser and machine information. If client hints are available in the browser, the DDNA JS SDK parses the client hint data. Users on the Chrome or Edge browser may be prompted for second-factor authentication the first time they log in after this change, even if they have chosen Remembered Device. As a result of this the users will be given INCREASEAUTH advice from the Risk Authentication product after upgrade to 9.1SP4.

Users on the Firefox, and Safari browsers should not be impacted by this change. 

When you upgrade to Advanced Authentication 9.1 SP4, you also need to upgrade to the latest version of the riskminder-client.js file, available from in the Clients package (ca-devicedna-javascript-client-2.2.zip). Advanced Authentication 9.1 SP4 can be downloaded by following this article. After the changes the old and new MFP will be as follows:

Old MFP:

{"VERSION":"2.1.2","MFP":{"Browser":{"UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36","Vendor":"Google Inc.","VendorSubID":"","BuildID":"20030107","CookieEnabled":true},"IEPlugins":{},"NetscapePlugins":{"PDF Viewer":"","Chrome PDF Viewer":"","Chromium PDF Viewer":"","Microsoft Edge PDF Viewer":"","WebKit built-in PDF":""},"Screen":{"FullHeight":1050,"AvlHeight":1010,"FullWidth":1680,"AvlWidth":1680,"ColorDepth":24,"PixelDepth":24},"System":{"Platform":"Win32","systemLanguage":"en-US","Timezone":0}},"ExternalIP":"127.0.0.1","MESC":{"mesc":"mi=2;cd=150;id=30;mesc=1494666;mesc=1481383"}}

New MFP:

{"VERSION":"2.2","MFP":{"Browser":{"UserAgent":"Windows 3.0.0; x86, Google Chrome, 112.0.5615.50, Mobile : false","Vendor":"Google Inc.","VendorSubID":"","BuildID":"20030107","CookieEnabled":true},"IEPlugins":{},"NetscapePlugins":{"PDF Viewer":"","Chrome PDF Viewer":"","Chromium PDF Viewer":"","Microsoft Edge PDF Viewer":"","WebKit built-in PDF":""},"Screen":{"FullHeight":1050,"AvlHeight":1010,"FullWidth":1680,"AvlWidth":1680,"BufferDepth":null,"ColorDepth":24,"PixelDepth":24,"DeviceXDPI":null,"DeviceYDPI":null,"FontSmoothing":null,"UpdateInterval":null},"System":{"Platform":"Win32","OSCPU":null,"systemLanguage":"en-US","userLanguage":null,"Timezone":0}},"ExternalIP":"127.0.0.1","MESC":{"mesc":"mi=2;cd=150;id=30;mesc=1412061;mesc=1376966"}}

Note-: User Hints APIs will be applicable for HTTPS only. Firefox and Safari browser do not currently support the User-Agent Client Hints. Symantec will update this article and the Advanced Authentication 9.1 documentation if this changes in future. Google Chrome 98 and higher and Microsoft Edge 106 and higher browsers over HTTPS supports User-Agent Client Hints.

More information on User Agent Client Hints can be found here.

Symantec Advanced Authentication Service Pack 9.1.04 is available now. Please find the GA announcement link.

For more information about this release, see the release notes section of the Symantec Advanced Authentication Service Pack 9.1.04 documentation.