SecurID^® Discussions

StephenJeon · ‎2019-12-09

Hi, I was wondering how you can bind a software token profile to a specific device platform (Windows PC, IOS etc). We have recently onboarded desktop soft tokens for windows and MAC desktops and made two separate software token profiles for both however I noticed when testing that I was able to use the MAC OS desktop token profile successfully from my windows desktop PC.

Is this attribute set under the variable DeviceSerialNumber?

If so, what would I need to fill in under it to restrict it to a specific OS?

EdwardDavis · ‎2019-12-09

The closest match to binding to a specific OS is:

-the version of RSA application installed, and what device type number it shows

-building a profile with that commonly used device type, and name the profile something you can remember.

example: windows RSA software token app version 5.0.2.x

Device Name: Local Hard Drive (RSA)
Device Serial Number: 62d282e0b74432ee2c8c
Device Type: {b57ed41b-cd67-4bac-85ab-19722fcd4498}

If I build a software token profile and choose Desktop PC 5.x in the dropdown, I will see the device serial number pre-filled with B57ED41B-CD67-4bac-85AB-19722FCD4498. That matches what my user sees in the application, so I know this token can potentially bind to 'any windows 5.x'.

If I chose a software token profile and Desktop PC 4.0 was selected, the pre-filled number will not match

8f94b026-d362-4554-ac52-3b01fa333b6f.

Of course you can edit the serial number to be the one user specific device 62d282e0b74432ee2c8c for more security, or leave it blank then it can bind to potentially 'any software token app, platform independent'.

View solution in original post

EdwardDavis · ‎2019-12-09

The closest match to binding to a specific OS is:

-the version of RSA application installed, and what device type number it shows

-building a profile with that commonly used device type, and name the profile something you can remember.

example: windows RSA software token app version 5.0.2.x

Device Name: Local Hard Drive (RSA)
Device Serial Number: 62d282e0b74432ee2c8c
Device Type: {b57ed41b-cd67-4bac-85ab-19722fcd4498}

If I build a software token profile and choose Desktop PC 5.x in the dropdown, I will see the device serial number pre-filled with B57ED41B-CD67-4bac-85AB-19722FCD4498. That matches what my user sees in the application, so I know this token can potentially bind to 'any windows 5.x'.

If I chose a software token profile and Desktop PC 4.0 was selected, the pre-filled number will not match

8f94b026-d362-4554-ac52-3b01fa333b6f.

Of course you can edit the serial number to be the one user specific device 62d282e0b74432ee2c8c for more security, or leave it blank then it can bind to potentially 'any software token app, platform independent'.

StephenJeon · ‎2019-12-09

Hey thanks for the response. So the device type is configured by one of the drop box options when setting the software profile correct?

I have configured two separate token profiles, one for PC and one for MAC but I have noticed in my testing that my desktop PC is able to import and use tokens from either of the above profiles even though it is not a mac. Below is how it is setup. They were originally created automatically by PRIME services but I removed the DeviceSerialNumber as I had thought that binds it to a specific device.

EdwardDavis · ‎2019-12-09

Device Serial Number Field:

-if you put in the specific device SERIAL number, only one device can run that token.

-if you put in the specific device TYPE number, then it can run on any of the same family of app (all windows 5.x)

-if you make it blank, then it doesn't check, and can install anywhere if there are no settings conflicts

These profiles are mainly designed so you can only choose options that are known to work on the target device. But they will create a token which can install just about anywhere with just a few things to note....

For example not all token apps can handle 30 second tokens, windows desktop cannot handle QR code...etc. So, by choosing the exact or closest match profile to the target device, you won't build a profile with 'impossible custom options' and then have to figure out why tokens won't install or work properly.

And...the canned profiles will have the device type number pre-filled in the Default Value column. But if you make that Default Value blank as in your examples, the token can install on just about any device, as long as the other options do not conflict. We have a profile called Generic AES, which is a very stripped down token, but about guaranteed to work on very old RSA token apps, SDK...etc... as it has the least options to customize.

In your two screenshots Mac and Desktop, neither have any serial numbers, and the other possible options are the same, so either profile will make tokens that can install just about anywhere. If you want to lock them down to MAC or Desktop, you need to find the device type number (the app will show you) and put that in the profile, and then these will become more specific to MAC or Desktop. Even further (as mentioned earlier) you can lock a token down to one single user device by using the actual device serial number that the target app calculated, and then you can be sure it can only work on one device.

Go ahead and add a new profile, and during the creation of this test profile, check what old and new devices are selectable, and observe how specific options change, as well as the device serial number field will change depending on the 'template' in the dropdown box.

StephenJeon · ‎2020-01-29

Your answers were very helpful. Thank you.

SecurID® Discussions

Device Platform for Soft Tokens

SecurID^® Discussions