Understanding IDSP Device Recognition Tags and Shared Device Logic
search cancel

Understanding IDSP Device Recognition Tags and Shared Device Logic

book

Article ID: 436016

calendar_today

Updated On:

Products

Symantec Identity Security Platform - IDSP (formerly VIP Authentication Hub)

Issue/Introduction

The Symantec Identity Security Platform (IDSP) Risk Evaluator uses a series of tags within its logs to identify, track, and evaluate the risk of devices used during authentication. This article defines the common device recognition tags found in /auth/v1/authenticate and iarisk/v1/UserRiskScoreEvaluator calls and explains why different users on the same device may generate distinct tag values.

Environment

Symantec Identity Security Platform (IDSP)

Resolution

Common Scenarios and Log Behaviors

1. Multiple Users on a Single PC (Shared Device) When different users log in from the same browser on the same PC, IDSP evaluates the "User-Device" relationship rather than just the hardware.

  • Observation: User A logs in and registers the device. When User B logs in, the system may flag the transaction as Possibly shared remembered device.
  • Reasoning: IDSP detects that the device signature is already bound to another user's profile. Because the system distinguishes between the physical hardware and the authorized user of that hardware, it may issue a new deviceTag or flag the mismatch to prevent account takeover (ATO) attempts.

2. Remembered Device Expired If a log shows Registered device not detected: Remembered device expired, it indicates that the cryptographic binding or the "trust" duration for that device has surpassed the configured TTL (Time to Live) in the IDSP policy.

Troubleshooting & Implementation Best Practices

To ensure consistent device recognition and trust, the following steps are required:

  • Feedback Integration: To trust a device, your application must call the Feedback API (PostUserRiskScoreEvaluator) after a successful authentication.
  • Passing the Tag: You must explicitly pass the deviceTag received from the initial Risk Evaluation call into the feedback payload with the rememberDevice flag set to true. Failure to do so will result in the device remaining "unrecognized" in subsequent attempts VIP AuthHub Not registering Device during IA RISK call in Postman.
  • SDK Usage: It is highly recommended to use the official IDSP Risk SDK. Manual implementations (such as using Postman or custom scripts) often fail to properly manage the embedding of the device tag into the signature payload, which is required for the platform to recognize the device as "matched"

 

Tag NameDefinition
deviceTagThe unique identifier assigned to the device for the current authentication transaction. This is the primary key used to track the device in the risk engine.
deviceIssuedRawTagThe raw identifier newly generated or detected from the device signature payload in the current request.
devicePreviousTagThe identifier associated with the last known "trusted" or "remembered" state for the specific user-device combination.
deviceMatchedTagThe identifier that the Risk Evaluator successfully matched against an existing entry in the trusted device repository.
Powered by Wolken Software