Device management

Device management plays a critical role in identity management by ensuring that the devices used to access services are trusted and secure. It involves verifying the identity of devices and enforcing policies that link devices to authorized users. By managing devices in this way, organizations can maintain a secure environment where only authenticated and compliant devices can connect to sensitive resources, reducing the risk of unauthorized access or data breaches.

Benefits

Keeping track of user devices offers multiple benefits, particularly in enhancing security, user experience, and operational efficiency, including:

• Secure authentication : By keeping track of devices, organizations can ensure that only authorized devices access sensitive systems. In MFA, a device can work as a "something you have" authentication factor.
• Seamless user experience : By linking users to their devices, organizations can offer seamless and secure identity experiences, allowing known devices to perform certain activities without additional authentication, reducing friction and promoting user trust.
• Streamlined operations : Restricting the number of devices per user, such as allowing only a single mobile device per user, enhances security and brings clarity into your app operations.
• Risk mitigation : If a device is lost or stolen, or is suspected to be compromized, ability to remotely block devices minimizes the risk of account takeover. For more information on securing your apps using device identifiers, see this guide .

Device identity

In Mosaic, the device encompasses both physical and virtual entities. Physical devices include, for example, smartphones and tablets running native apps. For web applications, Mosaic recognizes browsers, like Chrome or Safari, as devices due to their ability to granting access to the application domain.

Device identities are tightly connected to user identities. A device identity is created when a device (physical or virtual) is registered for a logged-in user or upon a new user onboarding. Devices are linked to users at the app level, i.e., the same device (e.g., smartphone or browser) has to be registered for the user in the context of each app individually. For example, Mosaic will maintain separate device identities for an Android smartphone accessing Acme app and Acme Pro app. If the user utilizes several browsers to access your web service, each browser is also treated as a separate device identity. For example, if a user logs into the Acme app from Safari and Chrome on their laptop, Mosaic will recognize and register these as two separate devices associated with that user for the Acme app.

Crypto-binding

Device registration is done using crypto-binding technology and handled implicitly by Mosaic client SDKs (Web, Android, or iOS) or explicitly via API.

During the registation process, cryptographic key-pair is generated by the device. The crypto keys are unique and allow Mosaic to identify devices. The device public key is exported and sent to Mosaic while the private key never leaves the device and is stored in a dedicated non-extractable way on the device, depending on the platform.

• Web : stored in IndexDB
• Android : stored in Keystore
• iOS : stored in Keychain

The public key is submitted to Mosaic along with device key identifier (key_id) that helps locate the public key. The key_id is available in the device profile in the Admin Portal along with general information about the device, such as its type, display name, last activity, and status. You can leverage key_id for managing devices in various identity journeys, for example, checking if device is known or blocking suspicious devices.

Device lifecycle

Mosaic doesn't create a device identity unless device crypto-binding was performed. After registering a device (by crypto-binding) and associating it with a user, this device appears in the user profile with the Active status. If a device gets lost or stolen, or is no longer in use, it can be suspended and it's status changes to Blocked. Blocked devices can be reverted to the Active state by unblocking them. Devices that are no longer needed can be removed from the user profile, these device identities are deleted.

Device management

Devices can be managed by administrators either in the Admin Portal, with the help of identity journeys, using client-side SDKs, or via APIs. You can also leverage devices crypto-binding for building adaptive logic in your apps. When needed, the device uses the private key to sign a challenge that Transmit verifies using the public key. See Manage devices for details.