I want to use the user's mobile device as a second authentication factor. I have already implemented the device registration using the mobile SDK and I can view all registered devices in MAG Manager. But it seems that MAG Manager does not store any relationship between a device and its owner.
In the API Gateway, when I use the assertion "MSSO Require Registered Device - Mutual SSL", I'm able to successfully retrieve the MagIdentifier and the device certificate's DN. I'm storing these attributes in a custom-made service in order to relate it to its respective owner. I.e., I basically have a database table where I store the username, mag identifier and device certificate's DN. But the process of storing this relationship involves some user interaction and multi-factor authentication due to some security requirements, so it's not transparent to the user. It is a
conscious user action.
However, during my tests, I have realized that sometimes both MagIdentifier and the certificate's DN were changed across multiple runs, even when I used the same device. Consequently, I had to begin this process of "device enrolling" multiple times (even though the device registration in MAG was transparent, I had to save the new mag identifier/certificate DN in my database everytime). I suspect it would happen when I clear my app's data, reinstall it or maybe some hidden procedure done by the debugger. So, it brings me to my first question:
1) When do we expect to have mag identifier and device certificate's DN changed, even when the user is using the same device? Does it occur when my app is reinstalled and/or when I clear my app's data?
I think it makes sense to change those informations during such events. If my user uninstalls the app, I guess it would make sense to reset that "user x device relationship" in my service. However, the device certficates are issued with a 1 year validity period. So, even if the user does not mess with anything, someday the certificate will have to be renewed. In other words, the device will have to be re-registered. I suppose it is completely transparent when we use the mobile SDK, but I must keep track of this certificate renewal in my custom-made service. I must know that the new certificate is actually the old one, that was simply renewed. So, it brings me to my next questions:
2) What happens to the mag identifier when the device is re-registered due to a certificate renewal? Does it keep the same, or is it also changed as well?
3) How can I test this behavior (in other words, how can I set the validity period of the certificates to, for exemple, 1 day instead of 1 year)?
4) If the mag identifier is also changed, how can I relate the new device registration to the old one?