Device Trust Verification

Leverage the Banyan App to establish Device Trust on Mobile Devices as well as apps whose authentication WebViews are unable to use the Banyan device certificate

This article describes features that require Banyan Desktop App v1.8+ and Banyan Mobile App v2.0+

Overview

Banyan’s Zero Trust security policies rely on a device certificate to authenticate the device from which an end user is accessing a Service. On Desktops, the Banyan certificates are stored securely in the Device Keychain on MacOS and Certificate Store on Windows/Linux. Banyan’s TrustProvider component performs the Mutual Auth TLS handshake to receive the device certificate from the device, extracts the device Serial Number from the device certificate, and uses the Serial Number to associate the request with Roles and TrustScore, and then enforce Policy.

There are certain cases where Banyan’s TrustProvider component is not able to get the certificate directly from the browser. Device Trust Verification brokers these workflows to ensure Zero Trust security policies are evaluated in all scenarios. The 2 most common workflows for Device Trust Verification are:

1. Accessing Services on Mobile

Banyan’s mobile registration flow stores the device certificate in the mobile application keychain. This allows for an optimized onboarding and service access experience for end users. Since Banyan cannot validate the device certificate directly from the browser, Device Trust Verification seamless leverages the Banyan mobile app as a broker for device trust.

2. Sandboxed Apps

Banyan’s policies work seamlessly for browser-based access because web browsers can utilize the device certificate stored the Device Keychain consistently. However, many native applications on iOS/Android and even MacOS/Windows use embedded web browsers called WebViews for authentication. The WebViews often do not have access to the device certificate on the device and cannot perform the Mutual Auth TLS handshake with Banyan’s TrustProvider component. We refer to these types of apps as native “Sandboxed Apps” because their authentication WebView it not permitted by the OS to leave its “sandbox” to use the device certificate from the keychain.

Since Banyan does not receive a device certificate from Sandboxed Apps, it is unable to associate the request with a specific device, even if the Banyan App (desktop or mobile) is installed on that device and a device certificate is present in the Keychain. Therefore, Banyan typically cannot enforce Device Roles and TrustScoring based policies for such apps.

How It Works

When Device Trust Verification is enabled for a service, Banyan’s TrustProvider uses an alternative authentication flow to account for mobile device and sandboxed applications.

Mobile

In this alternative authentication flow, the end user is automatically routed to the Banyan app for the Device Trust check. The app submits the Banyan client certificate as well as the most up to date set of Trust Factors. If authorization is successful, the end user can flip back to the browser or native app they were attempting to access and they will automatically proceed to the IDP authentication step.

If for any reason the browser does not redirect to the Banyan app, the end user can simply hit the “Verify with Banyan” button to manually kick off the flow.

Sandboxed Apps on Desktop

The flow for Sandboxed Apps on Desktop will be enhanced to resemble the Mobile flow above in an upcoming release.

In this modified authentication flow, the end user is presented with a challenge code when attempting to access a Banyan-protected service from a Sandboxed App.

The end user must copy the challenge code, and submit it via the Device Trust Verification tab in their Banyan App (desktop or mobile) to verify the device.

After submitting the challenge code and verifying their device, the end user returns to the Sandboxed App to authenticate with the IDP and access the Banyan-protected service. Banyan’s Device Trust Verification capability allows Device Roles and TrustScoring based policies for Sandboxed Apps.

Device Trust Verification Flow

The Device Trust Verification flow is used for mobile devices and sandboxed applications, as well as to support Unregistered Devices. The flow is depicted below:

Once you enable Device Trust Verification for Sandboxed Apps, the settings entered under Allow Unregistered Devices to Receive an HTTP Response which allows you to provide a customized error message to Unregistered Devices will no longer work. Instead, all requests from Unregistered Devices will receive the Device Trust Verification challenge and may fail the challenge-response mechanism. This will be fixed in an upcoming release.


Disable Device Trust Verification at the Organization-level

Device Trust Verification is enabled by default for all organizations. Please contact us for any assistance.

Disable Device Trust Verification at the Service-level

This step will be updated soon; we will provide a checkbox in the UI to disable Device Trust Verification during service definition.

By default, since Device Trust Verification is enabled for an organization, it is also enabled on all services in the organization.

However, some organizations may disable Device Trust Verification if the application is not a sandboxed app and mobile devices will also not be accessing it. Disabling Device Trust Verification will bypass the Device Verification fallback step in the flow above and proceed to the Unregistered Devices check.

Service-level setup depends on the service type, either Hosted or SaaS.

Disable DTV for Hosted Services

To disable Device Trust Verification for Hosted Services, you will modify the service JSON of an existing hosted service and create a custom service definition.

Review our article on how to modify the service JSON by converting to a Custom Service.

Set the suppress_device_trust_verification flag to true the Service Spec http_settings.oidc_settings. For example:

"oidc_settings": {
    "enabled": true,
    "service_domain_name": "https://hosted-service.example.com", "post_auth_redirect_path": "",
    "api_path": "",
    "suppress_device_trust_verification": true
}

Disable DTV for SaaS Apps

To disable Device Trust Verification for SaaS Apps, you will need to modify the attributes to set the suppress_device_trust_verification flag to true, and then push the updated spec.

Review our article on how to modify the service JSON for a SaaS App.



Last modified: Aug 31, 2021