Device hash
The device hash risk indicator allows you to identify and manage MobileID devices associated with a single physical device.
By correlating seemingly unrelated users to a single device, you can proactively detect and prevent fraud attempts, such as account takeovers.
How it works
During the MobileID registration of a new device, the client SDK automatically generates a unique device hash (deviceHash). This hash remains consistent for the physical device, even if your application is uninstalled and reinstalled.
By monitoring the deviceHash across your user base, we can identify anomalies.
For example, if a single device hash is suddenly tied to an unusually high number of users, it could strongly indicate that a bad actor is using one device to cycle through compromised accounts.
What is a device hash?
A device hash is designed to be a unique and persistent digital fingerprint which can be used to identify a specific mobile device within your app.
It is a SHA-256 hash of the unique ID generated for the device:
- For Android, this unique ID is derived from the
Settings.Secure.ANDROID_IDvalue in the Android SDK. - For iOS, this unique ID is generated by the SDK using Apple's
CFUUIDCreatefunction and stored in the end-user's iCloud Keychain.
Configuration options
You can configure the following parameters for the device hash risk indicator:
| Parameter | Description |
|---|---|
| Allowed number of users with same device hash | The number of users that can be associated with a single device hash before it is flagged as suspicious. The default value is 2. |
To update the configuration, you can use the Update device hash configuration endpoint in the MobileID Admin API.
How to take action
When a device hash is flagged as suspicious, you can take immediate action to mitigate the risk and protect your end-users.
To do this, you can either use:
- The Device hash risk indicator page in the Signicat Dashboard.
- The Statistics resource in the MobileID Admin API.
To learn about what actions you can take, see the sections below.
Investigate devices
You can retrieve a complete list of all users and devices tied to a specific device hash, so that you can audit their recent authentication activity.
Lock devices
You can lock all active MobileID devices associated with a suspicious device hash using a single operation. Once locked, the device can no longer be used for authentication or signing.
Block future registrations
You can add a device hash to a blocklist to prevent any new MobileID devices from being created on that specific physical device in the future.
How to get access
The Device hash risk indicator is part of an add-on product for MobileID that must be purchased. To get access to this feature, please contact sales.
This add-on product comes with a free trial period!
Once you have bought the product, there is no action or configuration required by you to start capturing data. This is because the deviceHash is an Always collected risk attribute in the MobileID SDKs, which means that it is automatically collected by default.