Device fingerprinting is a technique better known for its use to track and re-identify devices. It leaves no traces on users' devices. Browser fingerprinting, a specific type of device fingerprinting, exploits modern web configurations, technologies, protocols and APIs to uniquely identify devices. Contrary to tracking cookies that are stored on the device and can be erased, fingerprints are stored on servers the user has no control over.
Despite its negative uses for tracking, browser fingerprinting can also be used to improve security on the web. We propose to investigate advanced browser fingerprinting as a configurable authentication mechanism. We argue that it has the potential to be the only authentication mechanism when used in very low-security, public websites; it can be used to block bots and other fraudulent users from otherwise open websites. It also has the potential to be used as a second factor authentication mechanism, or as an additional factor in Multi-Factor Authentication (MFA) schemes. Besides strengthening a session’s initial authentication, it can also be used for continuous session authentication to protect against session hijacking. In many contexts, fingerprinting is fully transparent to users, meaning that contrary to authentication processes that rely on external verification cards, code generating keys, special apps, SMS verification codes, users do not have to do anything to improve their security. In more restricted contexts, administrators can enforce different policies, for example, enrolling fingerprints from devices that connect from trusted IP addresses (e.g., an internal network), and then verifying these fingerprints when the same users connect from untrusted IP addresses. Consequently, we plan to design an architecture and implement it to be able to plug the browser fingerprinting authentication process to an existing authentication system.
Multiple issues arise from such a system. To reduce forgeability, we plan to investigate novel attributes that focus on identifying hard-to-forge hardware characteristics of the device. We plan to combine these attributes with other software-based ones, including the existence/non-existence of APIs in specific browser versions. We will also look into dynamic challenge-response tests to limit replay attacks. Also, browsers are evolving at amazing speed and each sub-version has subtle differences. We have also identified two ideal platforms to implement such a system and to understand how to administer it in practice: Central Authentication Service and Wordpress. Crucially, we will look into the societal impact of our work to understand usability and how to reduce the privacy risks. We argue that obtaining consent from users before fingerprints are sent to websites would do a great deal to reduce their use for tracking, while increasing the level of security. Thus, we plan to explore the use of permissioned APIs because users should decide if the security benefits of fingerprinting are worth it.
FP-Locker’s main objective is to enhance and augment multi-factor authentication through advanced device fingerprinting. We believe we address real concerns and that the use of browser fingerprinting for security is a net positive to companies, to universities and to society. We believe this project will find a good balance between security, usability and the risks to privacy, and this will lead to a better, safer, more privacy friendly internet.
Monsieur Walter Rudametkin (Centre de Recherche en Informatique, Signal et Automatique de Lille)
The author of this summary is the project coordinator, who is responsible for the content of this summary. The ANR declines any responsibility as for its contents.
CRIStAL Centre de Recherche en Informatique, Signal et Automatique de Lille
Help of the ANR 163,296 euros
Beginning and duration of the scientific project: December 2019 - 42 Months