Platform Authenticator Methods
Our phishing-resistant platform uses multiple methods to invoke the platform authenticator on end-user devices. These methods vary in security levels:
- Primary methods offer explicit phishing-resistant properties
- Fallback methods rely on network signals to verify device identity
- Method availability depends on platform-specific and authentication context
IP Address Verification
During authentication, two IP addresses are monitored:
- User-agent IP (accessing the login page)
- Platform authenticator IP (responding to login attempt)
IP Comparison
- IP addresses are directly compared when using fallback methods
- Comparison fails if connections use different IP schemes
- Network fingerprinting detects the public IP address recorded when the device contacts the cloud.
Error Messages
When IP mismatch is detected:
- In the Admin Console Event, you will see: Policy violation: "Policy Denied Access policy violated"
- The end-user will be shown: "Suspicious Login Attempt - Platform Authenticator and User Agent IP mismatch detected"
Configuration Options
- Fallback methods can be enabled/disabled per tenant
- Configuration changes require BI support assistance
- Administrators can control this functionality via Policy
- This can also be enabled/disabled by opening a ticket with Beyond Identity Support.
This security measure helps ensure that authentication attempts originate from the same device, maintaining the integrity of our phish-resistant platform.
Comments
0 comments
Article is closed for comments.