Device Fingerprinting for Augmenting Web Authentication: Classification and Analysis of Methods

Device Fingerprinting for Augmenting Web Authentication: Classification and Analysis of Methods

Device Fingerprinting for Augmenting Web Authentication: Classification and Analysis of Methods Furkan Alaca P.C. van Oorschot School of Computer Science Carleton University, Ottawa, Canada ABSTRACT ing habits [21,2]. In addition, a number of commercial Device fingerprinting is commonly used for tracking users. fraud detection services [38, 57] employ browser-based de- We explore device fingerprinting but in the specific context vice fingerprinting to identify fraudulent transactions. Large of use for augmenting authentication, providing a state-of- web services can mitigate insecure passwords in part by the-art view and analysis. We summarize and classify 29 using server-side intelligence in the authentication process available methods and their properties; define attack models with \multidimensional" authentication [14], wherein con- relevant to augmenting passwords for user authentication; ventional passwords are augmented by multiple implicit sig- and qualitatively compare them based on stability, repeata- nals collected from the user's device without requiring user bility, resource use, client passiveness, difficulty of spoofing, intervention. We explore the applicability of various finger- and distinguishability offered. printing techniques to strengthening web authentication and evaluate them based on the security benefits they provide. CCS Concepts We aim to identify techniques that can improve security, while being ideally invisible to users and compatible with •Security and privacy ! Authentication; Web appli- existing web browsers, thereby imposing zero cost on us- cation security; ability and deployability. We identify and classify 29 available device fingerprint- Keywords ing mechanisms, primarily browser-based and known, but Device fingerprinting, multi-dimensional authentication, pass- including several network-based methods and others not in words, comparative analysis, comparative criteria the literature; identify and assess their properties suitable for application to augment user authentication; define a se- 1. INTRODUCTION ries of adversarial models within the context of fingerprint- augmented authentication; and consider practical issues in We explore the state-of-the-art of device fingerprinting, the implementation, deployment, and use of device finger- albeit with a special focus: to augment web authentication printing within the context of user authentication. mechanisms, and especially password-based methods. De- While prior work has mostly presented specific device fin- spite usability and security drawbacks, the latter remains gerprinting mechanisms or their use by web trackers, we an- the dominant form of authentication on the web|in part alyze a broad range of such mechanisms within the context because more secure alternatives have their own usability of augmenting password-based web authentication. and deployability issues [13]. Device fingerprinting involves techniques by which a server collects information about a device's software and/or hard- 2. BACKGROUND AND RELATED WORK ware configuration for the purpose of identification. Web Eckersley [21] published the first research paper discussing browsers reveal information to websites about the host sys- in detail the concept of browser-based device fingerprinting tem both explicitly by exposing data such as screen reso- and showed that websites could identify users and track their lution, local time, or OS version, and implicitly by leaking browsing habits by collecting basic information such as de- information about the device's software or hardware config- vice IP address, time zone, screen resolution, and a list of uration through observable differences in browser behaviour. supported fonts and plugins; such functionality was origi- Web analytics and advertising services are known to employ nally designed to help optimize web content for a wide vari- browser-based device fingerprinting to track users' brows- ety of target devices. Mowery et al. [41, 42] later proposed Version: Sept. 22, 2016. This is the authors’ version of the work. It is posted here two more advanced fingerprinting methods; the first mea- for your personal use. Not for redistribution. The definitive Version of Record is to sures the performance signature of the browser's JavaScript appear in ACSAC 2016. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are engine, and the second renders text in an HTML5 canvas to not made or distributed for profit or commercial advantage and that copies bear this distinguish font-rendering techniques across different soft- notice and the full citation on the first page. Copyrights for components of this work ware and hardware platforms. Nikiforakis et al. [48] discuss owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior the difficulties of thwarting fingerprinting techniques with specific permission and/or a fee. Request permissions from [email protected]. client-side privacy extensions; e.g., differences in JavaScript ACSAC ’16, December 05-09, 2016, Los Angeles, CA, USA implementations across browser vendors can reveal which c 2016 ACM. ISBN 978-1-4503-4771-6/16/12. $15.00 browser is being used even if the user-agent string is ob- DOI: http://dx:doi:org/10:1145/2991079:2991091 scured; web proxies can often be circumvented to reveal 1 the user's true IP address through external plugins such as Implicit authentication [31] is a related technique that Flash or Java (cf. [44]); and user manipulation of the device aims to strengthen or replace existing authentication mech- fingerprint may result in a less common fingerprint that is anisms by relying on user behaviour such as typing rhythms, even more useful for identifying the user. Bojinov et al. [11] touchscreen input, sensor input (e.g., gyroscope, accelerome- demonstrate how smartphones can be fingerprinted via a ter, nearby Bluetooth or WiFi devices), usage patterns (e.g., multitude of onboard sensors; in particular, they use the de- time of access, commonly accessed pages), etc. While some vice's accelerometer calibration error and the frequency re- of these techniques are also applicable to the web, our focus sponse of the speakerphone-microphone system. Nikiforakis herein is on leveraging device information rather than user et al. [47] developed PriVaricator, which reduces fingerprint- behaviour. However, in the broader context of \multidimen- ability by randomizing various browser parameters. sional" authentication, user behaviour profiling can be used Empirical studies by Acar et al. [3,2] and Nikiforakis et alongside device fingerprinting (and potentially other im- al. [48] reveal extensive use of device fingerprinting by ad- plicit signals) to achieve stronger authentication guarantees vertisers as a fallback mechanism to track users, should they without sacrificing usability. clear their browser cookies. Advertisers also save identifying information via less conventional storage mechanisms, e.g., Flash cookies, which are more difficult for users to delete 3. FRAMEWORK AND THREAT MODEL [39]; this information may be used to reconstruct browser Base definitions, replay and spoofing. In device fin- cookies, should the user clear them [54,6, 40,2]. gerprinting, servers use one or more mechanisms (finger- Some work has begun to explore using device fingerprint- printing vectors or vectors) to extract and verify properties ing to enhance web security. Unger et al. [58] propose en- related to the software and/or hardware configuration of a hancing session security through server-side monitoring of device. \Pure" device fingerprinting is stateless, depositing certain web browser attributes (e.g., user-agent string, sup- no new client-side information; alternatives are stateful. By ported CSS features) to help detect session hijacking. Preuve- device fingerprint we mean the overall set of vectors a server neers and Joosen [51] propose a protocol that monitors var- employs, or depending on context, the output corresponding ious parameters throughout an authenticated session, such to such vectors. A base assumption is that attackers eventu- as user IP address and time of access; applies a similarity- ally learn the set of vectors composing a device fingerprint. preserving hash function to enable privacy-preserving fin- A server may use a collection of vectors and choose some gerprint storage that allows similarity checks between stored (random or other) subset in particular instances; if so, we fingerprints and subsequently-collected fingerprints; and uses assume the attacker does not know the subset beforehand. a comparison algorithm that assigns a weight to each at- Many vectors require browsers to perform certain oper- tribute (based on its usefulness for identifying that partic- ations, e.g., via JavaScript, and return the output to the ular client) to determine if the fingerprint has changed sig- server. If a vector response is static, i.e., constant regard- nificantly enough to ask the user to re-authenticate. Van less of circumstances, an attacker observing or intercepting Goethem et al. [59] propose an accelerometer-based device this can later replay it. If all vectors composing a device fingerprinting mechanism for multi-factor mobile authenti- fingerprint are static, so is the device fingerprint, and sim- cation. Freeman et al. [27] propose a statistical framework ple replay suffices. By spoofing we mean an attacker trying to detect

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    13 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us