Device Trust Verification

Leverage the Banyan App to establish Device Trust on Mobile Devices as well as apps whose authentication WebViews are unable to use the Banyan device certificate

  • Updated on Aug 09, 2022

This article describes features that require Banyan Desktop App v1.8+ and Banyan Mobile App v2.0+ .

Overview

Banyan’s Zero Trust security policies rely on a device certificate to authenticate the device from which an end user is accessing a Service. On desktops, the Banyan certificates are stored securely in the Device Keychain on macOS and Certificate Store on Windows/Linux. Banyan’s TrustProvider component performs the Mutual Auth TLS handshake to receive the device certificate from the device, extracts the device Serial Number from the device certificate, and uses the Serial Number to associate the request with Roles and TrustScore, and then enforce Policy.

There are certain cases in which Banyan’s TrustProvider component is not able to get the certificate directly from the browser. Device Trust Verification brokers these workflows to ensure Zero Trust security policies are evaluated in all scenarios. The two most common workflows for Device Trust Verification are the following:

1. Accessing services on mobile

Banyan’s mobile registration flow stores the device certificate in the mobile application keychain. This allows for an optimized onboarding and service access experience for end users. Since Banyan cannot validate the device certificate directly from the browser, Device Trust Verification seamless leverages the Banyan mobile app as a broker for device trust.

2. Sandboxed apps

Banyan’s policies work seamlessly for browser-based access because web browsers can use the device certificate stored the Device Keychain consistently. However, many native applications on iOS/Android and even macOS/Windows use embedded web browsers, called WebViews, for authentication. The WebViews often do not have access to the device certificate on the device and cannot perform the Mutual Auth TLS handshake with Banyan’s TrustProvider component. We refer to these types of apps as native “sandboxed apps” because their authentication WebView it not permitted by the OS to leave its “sandbox” to use the device certificate from the keychain.

Since Banyan does not receive a device certificate from sandboxed apps, it is unable to associate the request with a specific device, even if the Banyan app (desktop or mobile) is installed on that device and a device certificate is present in the Keychain. Therefore, Banyan typically cannot enforce Device Roles and TrustScoring based policies for such apps.

How It Works

When Device Trust Verification is enabled for a service, Banyan’s TrustProvider uses an alternative authentication flow to account for mobile device and sandboxed applications.

Mobile

In this alternative authentication flow, the end user is automatically routed to the Banyan app for the Device Trust check. The app submits the Banyan client certificate as well as the most up to date set of Trust Factors. If authorization is successful, the end user can flip back to the browser or native app they were attempting to access and they will automatically proceed to the IDP authentication step.

If, for any reason, the browser does not redirect to the Banyan app, the end user can select the “Verify with Banyan” button to manually kick off the flow.

Sandboxed apps on desktop

The flow for sandboxed apps on desktop will be enhanced to resemble the mobile flow above in an upcoming release.

In this modified authentication flow, the end user is presented with a challenge code when attempting to access a Banyan-protected service from a sandboxed app.

The end user must copy the challenge code and submit it via the Device Trust Verification tab in their Banyan app (desktop or mobile) to verify the device.

After submitting the challenge code and verifying their device, the end user returns to the sandboxed app to authenticate with the IDP and access the Banyan-protected service. Banyan’s Device Trust Verification capability allows Device Roles and TrustScoring based policies for sandboxed apps.

Device Trust Verification Flow

The Device Trust Verification flow is used for mobile devices and sandboxed applications, as well as to support Unregistered Devices. The flow is depicted below:

Once you enable Device Trust Verification for sandboxed apps, the settings entered under Allow Unregistered Devices to Receive an HTTP Response, which allow you to provide a customized error message to Unregistered Devices, will no longer work. Instead, all requests from Unregistered Devices will receive the Device Trust Verification challenge and may fail the challenge-response mechanism. This will be fixed in an upcoming release.


Disable Device Trust Verification at the Organization-level

Device Trust Verification is not enabled by default; it needs to be enabled to support mobile devices. If you have org-wide Device Trust Verification enabled and you want to disable it, navigate from Settings > TrustProvider Settings > Unregistered Devices, and then de-select the switch under Enable Org Wide Device Trust Verification.

The Enable Org Wide Device Trust Verification switch is de-selected in the image above.

Disable Device Trust Verification at the Service-level

When Device Trust Verification is enabled for an organization, it is also enabled on all services in the organization.

However, some organizations may disable Device Trust Verification if the application is not sandboxed or if mobile devices will not be accessing it. Disabling Device Trust Verification will bypass the Device Verification fallback step (in the flow above) and proceed to the Unregistered Devices check.

To disable Device Trust Verification for a SaaS App or Hosted Service, navigate to the Advanced Configuration section of the service and select the Suppress Device Verification switch.

The Suppress Device Verification switch is selected in the image above.