Understanding the Use of externalIP, deviceSignature, and DeviceID in Risk Evaluation
search cancel

Understanding the Use of externalIP, deviceSignature, and DeviceID in Risk Evaluation

book

Article ID: 397361

calendar_today

Updated On:

Products

CA Risk Authentication

Issue/Introduction

This article addresses common questions related to the role of externalIP within deviceSignature, the expected behavior around dynamic/static IPs, and the handling of device identification in CA RiskMinder (CA Risk Authentication).

Environment

CA Risk Authentication 9.1.5

Resolution

Q1: Is externalIP (sent within deviceSignature) utilized during risk evaluation, or is it ignored?
Answer: Yes, the externalIP field within the deviceSignature is used during risk evaluation. It contributes to the Multi-Factor Profiling (MFP) calculation, where RiskMinder evaluates the degree of match between the current and historical device fingerprint data.

  • The externalIP affects the MFP score, which in turn influences the risk advice (ALLOW, INCREASEAUTH, DENY, etc.).
  • A mismatch in the externalIP compared to previous device profiles may lead to a reduced MFP match percentage and potentially a higher risk score.

Q2: Should externalIP be dynamic (reflecting the actual client IP) or static (e.g., always the UBS server IP)?
Answer: The externalIP should reflect the actual client IP address—not a static or server-side value.

  • As per the official documentation, the externalIP is defined as: "The IP address of the system from which the page containing the Client was served."
  • While older implementations may use request.getRemoteAddr(), modern environments (especially those behind proxies or load balancers) should extract the client IP from headers like X-Forwarded-For.

Best Practice: Ensure externalIP in the device signature and ipAddress in the risk evaluation request both reflect the true public IP of the end user/client device.

Q3: Will RiskMinder generate a new deviceID if a new deviceSignature is received with differing MFA values?
Answer: The creation of a new deviceID depends on the presence and validity of the deviceID in the request and the system’s ability to perform a reverse lookup.

  • If a deviceID is passed in the risk evaluation call, and it’s associated with the user, RiskMinder will use the existing device profile.
  • If a deviceID is not passed or the system fails to associate the incoming deviceSignature with an existing profile (via reverse lookup), a new deviceID will be generated.
  • This behavior ensures device tracking is preserved when devices change but also allows the system to recognize and manage truly new devices.

Additional Information

Summary

Question Answer
Is externalIP used in risk evaluation? Yes, it's part of MFP calculation.
Should externalIP be dynamic or static? Dynamic — should reflect client IP.
When is a new deviceID created? When deviceID is missing or reverse lookup fails.

 

Recommendations

  • Always pass accurate client IP values in both the deviceSignature.externalIP and ipAddress field in the risk evaluation API.

  • Avoid hardcoding or defaulting to internal server IPs in device signature generation.

  • Validate the consistency of device-related data between client and server components to maintain MFP integrity and minimize false positives in risk scoring.

 

For further assistance, please contact Broadcom Support with detailed logs and example request payloads.

Powered by Wolken Software