Authentication is an important component of security. Almost every web application published on the internet uses some authentication to identify a user as a valid user, authorized to use the application. A user may have to remember so many passwords and use them on a regular basis that they can get confused. What if an application can identify you automatically, based on your computer (or any other device)?
You do not have to remember passwords, supply the wrong password for the wrong site and get locked out. Or is it as easy as it sounds? First we need to understand how device fingerprinting works.
The fingerprint itself is generated by creating a hash of all the values obtained. For example, the screen resolution, IP address and web browser user-agent can be concatenated and hashed using a hashing algorithm such as SHA. If any of the information or the even the order of the information is changed, the hash will change resulting in an authentication failure.
Once that is done, whenever the user visits the appropriate website, the fingerprint is sent by the browser as a cookie value. The web application then searches for the owner of the device fingerprint in its records and identifies the user. If this is the only thing that the website requires for authenticating a user, the site is in major trouble. That is because, anyone who can provide that device signature can impersonate the original user.
Consider a large organization that provides laptops (or desktops) to groups of employees. Each group (Dev, QA, etc) may have a specific hard-disk image that the laptops are loaded with. The image will make sure that all the users use the same versions of all the software with the same plugins, screen resolutions, etc. Depending on what the device fingerprint is generated from all the laptops that have the same hard-disk image can end up with the same device fingerprint.
The problem with the second method that involves downloading software to generate the fingerprints can face resistance from users. Even if they downloaded the software, the signatures can be stolen and replayed by an attacker, resulting in impersonation of the original user.
While device fingerprinting can be one of the security features, it cannot be used on it own.