Strong Device ID, Device Risk and Device Management
Web Device Identification
Web Device ID technologies identify users returning from the same browser instance. This technology can be used to increase trust in the login process or to step up authentication if the user is coming from an unrecognized browser instance. Web device ID technologies use various techniques to store information on the user’s device and to read configuration from the device to determine the identity of the device. A stronger form of web device identification uses certificates that are stored on the device and used by the browser to establish a secure and authenticated channel between the browser and the application server.
Being able to identity the user’s device and leverage its security capabilities leads to better security overall and, very often, better usability as well. Device ID and device risk technologies can be orchestrated with other authentication and risk detection techniques to determine the right level of access for each session.
Mobile Device Identification
Mobile device ID technologies use cryptographic algorithms to strongly bind the user’s mobile device. The technology leverages the device’s secure hardware to store cryptographic keys, which are then used to sign and encrypt the communication between the mobile device and the application server. The cryptographic keys can be further protected by biometric information such as a face or fingerprint, making sure that both the device and the user are fully authenticated to the application server. Cryptographic keys are tightly managed, rolled over, and revoked based on risk.
Device risk algorithms look at various aspects of the device, such as device type, version, age, location, and usage patterns to determine the trust and risk level in the device. Devices with a lower trust level or a greater risk level can be restricted in the type of services they’re allowed to access or may require a stronger or different authentication process. The device’s risk score can be orchestrated with other risk scores such as user behavior to fine tune access decisions.
Device Repository and Management
Transmit automatically builds and maintains a list of devices per user. Any device used by the user is automatically registered by the platform. This includes mobile phones, tablets, computers, and laptops. The platform also automatically stores information about the device, such as the type of the device, the operating system it runs on, and the version of the operating system. Transmit includes a device management interface that can be invoked by any mobile application or web application. This highly configurable interface serves a few purposes:
It allows users to view the different devices they’ve used to date alongside the information described above, such as location, the date in which the device was first and last used, and the number of logins performed from the device.
It allows users to perform Google- and Apple-type operations on devices, such as removing a device that is no longer in use, locking a device that is temporarily not in use, renaming a device, and finding a device.
It manages different security aspects of the device, such as the type of authentication and authorization allowed from each device.
Over-the-Air Journeys is the technology that sets Transmit apart from all other vendors. Using Over-the-Air Journeys, application owners can use graphical tools and an orchestration language to design simple and complex user journeys that involve authorization, authentication, KYC, fraud prevention, regulatory requirements, and more. Once done, these journeys can be pushed "over the air" and played in any application that is connected to Transmit, without making any code changes to the application and without the need to re-publish the application. Over-the-Air Journeys consist of two main technologies - a Journey Player and an Orchestration Engine. The Journey Player is incorporated into your applications as an SDK and is responsible for playing the entire journey inside the application. The Journey Player works with the Transmit Orchestration Engine which orchestrates the journey and defines the next steps on either the client or server side.
Transmit provides a full set of authentication services to manage primary login, multi-factor, and step-up authentication across various applications and channels. The platform includes a large set of built-in authenticators such as OTPs, soft tokens, biometric authenticators, and knowledge-based authenticators. In addition, the platform can be used to manage any third-party authenticator or authentication service connected to the Identity Services Hub. Transmit’s authentication services manage the enrollment process for each authenticator and also tasks such as de-enrollment, re-enrollment, and expiry periods. The platform provides flexible ways of defining authentication levels and attaching them to different authenticators and journeys. The platform allows building rules for authentication failures across different authenticators and devices and taking various actions when thresholds are reached. Transmit is FIDO certified and can be used to manage any FIDO authenticator alongside non-FIDO authenticators.