Devices

The device concept plays an integral part in Identity Orchestration workflows. When your applications run on devices, they interact with the journeys and can influence the execution logic and UX.

By recognizing devices early in the journey, Mosaic can provide tailored identity experiences and foster the app's security posture. For example, users accessing an application from a recognized, secure device may experience a streamlined login process, while those connecting from an unrecognized or suspicious device may be prompted for additional verification steps.

Device identity

Identity Orchestration operates with both physical and virtual devices. Physical devices like smartphones and tablets are tangible hardware running native apps and journeys. In the context of web applications, a device refers to a virtual entity like a browser, which serves as a logical device facilitating access to the application domain. Hence, each browser, such as Chrome or Safari, accessing your domain is identified as a new device.

Device identity is created and linked to a user per application. In other words, to leverage devices in identity journeys, for each app or—in case of web—domain, you have to register every user's device (smartphone, Chrome browser, etc.) individually. For example, a user accessing the Acme app from their Android phone and through Safari and Chrome browsers on their laptop will have in total three devices associated with them for Acme app. If the same device (smartphone or browser) is used to access multiple apps (or domains), Mosaic treats these interactions as separate device identities.

Device identity is maintained using crypto-binding technology. Upon device registration in the journey, Mosaic creates a cryptographic key-pair that uniquely identifies a device (physical or virtual) and ties it to a specific user in the Mosaic identity store. The private key never leaves the device while the public key is submitted to Mosaic along with the device key identifier (key_id). The key_id helps locate the public key and is used to identify this device in the journeys.

To learn more about how devices work in Mosaic, see Device management.

Use cases

Integrate device recognition and management logic into Identity Orchestration workflows to:

  • Create a customized user experience
  • Use the device as a "something you have" factor in multi-factor authentication
  • Enforce security policies, such as a single device policy
  • Manage risks

Journey steps

Below are journey steps operating on device identities. For detailed instructions on how to perform common device management tasks, see Manage devices.

  • Register device : Ties a device to the authenticated user using crypto-binding technology. Returns the key_id device identifier.
  • Is known device : Validates if the device is associated with the user. Mosaic send a challenge for the device to sign using the private key. If the signature matches the key_id , the device is identified as known. Returns the key_id device identifier.
  • Device keys APIs : Perform various CRUD operations with device. Typically, these APIs require key_id and user_id as input. The user_id for a logged-in user can be obtained using the @policy.userContext().user_id expression.