Using device fingerprints for security

Authentication is an important component of security. Almost every web application published on the internet uses some authentication to identify a user as a valid user, authorized to use the application. A user may have to remember so many passwords and use them on a regular basis that they can get confused. What if an application can identify you automatically, based on your computer (or any other device)?

You do not have to remember passwords, supply the wrong password for the wrong site and get locked out. Or is it as easy as it sounds? First we need to understand how device fingerprinting works.

Device fingerprinting works by computing a unique id for the device that you use to access a particular web application. This can be one or more of the web browser type (ie, firefox, opera), screen resolution, IP address, installed plugins on your web browser, etc. There are two ways to obtain this information. One way is to use JavaScript. But the information that you can obtain using JavaScript is limited due to the restrictions on JavaScript. Another way is to let users download a client program (eg. ActiveX control or Java applet or even an executable file) that can access the system and create a unique fingerprint.

The fingerprint itself is generated by creating a hash of all the values obtained. For example, the screen resolution, IP address and web browser user-agent can be concatenated and hashed using a hashing algorithm such as SHA. If any of the information or the even the order of the information is changed, the hash will change resulting in an authentication failure.

Once that is done, whenever the user visits the appropriate website, the fingerprint is sent by the browser as a cookie value. The web application then searches for the owner of the device fingerprint in its records and identifies the user. If this is the only thing that the website requires for authenticating a user, the site is in major trouble. That is because, anyone who can provide that device signature can impersonate the original user.

We talked about the two ways to create the signatures. The most common way is to use JavaScript to compute the signature. One of the problems mentioned earlier is the restriction that it cannot access system resources. With the things that it can access, there can be duplicate signatures.

Consider a large organization that provides laptops (or desktops) to groups of employees. Each group (Dev, QA, etc) may have a specific hard-disk image that the laptops are loaded with. The image will make sure that all the users use the same versions of all the software with the same plugins, screen resolutions, etc. Depending on what the device fingerprint is generated from all the laptops that have the same hard-disk image can end up with the same device fingerprint.

The problem with the second method that involves downloading software to generate the fingerprints can face resistance from users. Even if they downloaded the software, the signatures can be stolen and replayed by an attacker, resulting in impersonation of the original user.

While device fingerprinting can be one of the security features, it cannot be used on it own.