00ueuc93x4Cm8One20h1.5251321845916467E12 (Customer) asked a question.
We notices some behavior of okta device token (pre-hash of dtHash in the system log) and would like to get some further ideas on how it works on the Okta side.
For Okta client apps that invoke Okta's authentication endpoint to conduct primary authentication for end user, when the application doesn't explicitly pass on device token in the request, dtHash in the system log are seen in the following two fashions:
1) random value for each login event, when the application doesn't authenticate itself with an API token
2) relatively stable value for some time before change, when application does provide an API token. The value is the same for all end user log events
We'd like to understand
1) if such behavior is intended to be bound to Okta client API token
2) what's the reasoning for such a setup
Essentially we'd like to derive trusted device information to detect potential compromise, but such a setup makes it hard to model device token coherently.
Thank you for contacting Okta Support!
It would be great if you could open a support case directly with our team so we can investigate the behaviour and we would also need more information about what you are trying to achieve with the required sensitive information.