000016100 - 'Does the device authentication solution utilize cookies not susceptible to copying?'

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000016100
Applies ToThe short answer is Yes. Below are more details derived from the latest "Data Gathering Techniques Guide" which can obtained from RSA Secure Care Online(SCOL).
Data Gathering for device authentication uses multiple techniques, one  technique is amethod that installs a unique device ID on the user?s device, enabling efficienttracking of user devices. A JavaScript code is implemented to collect device data and store it in the browser cookie. This cookie is later sent to the Adaptive Authenticationor Transaction Monitoring system for device identification.

Browser cookies are used to identify devices attempting to access a system protected by RSA Adaptive Authentication or Transaction Monitoring. The User ID is used to identify the user and the cookie is used to identify the user?s device.
IssueNCUA Auditors will ask standard questions to our customers, one question that has been seen repeatedly is
 "Does the device authentication solution utilize cookies not susceptible to copying?"
Resolution
Implementing the Browser Cookie with the Anti-Theft Feature
To protect against cookie theft, the browser must change the cookie data on each request. This scenario supports two modes: reading the browser cookie, and writing or updating the cookie.
Important: The cookie anti-theft feature is only available for organizations using the Anti-Intrusion model.
Legacy Article IDa61458

Attachments

    Outcomes