“Guess Who?” Large-Scale Data-Centric Study of the Adequacy of Browser Fingerprints for Web Authentication

Andriamilanto, Nampoina; Allard, Tristan; Guelvouit, Gaëtan Le

doi:10.1007/978-3-030-50399-4_16

Cited by 11 publications

(20 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…If the collected fingerprint matches with the one stored, the user is given access to the account, and the stored fingerprint is updated to the newly collected one. The comparison is done using a matching function (i.e., a similarity function between two fingerprints that authorizes differences), as fingerprints are known to evolve [4,13,59]. Any matching function can be used provided that it is monotonic (i.e., if two fingerprints match 7 for an attribute set C, they also match for any subset of C).…”

Section: Authentication Mechanismmentioning

confidence: 99%

“…It was collected from December 7, 2016, to June 7, 2017, during a real-life experiment in which the authors integrated a fingerprinting probe to two pages of one of the 15 most visited websites in France. We refer to their studies [4,5] that provide an in-depth analysis of this dataset, a comprehensive description of the fingerprint collection, a precise description of the preprocessing steps that include a cookie resynchronization process similar to [13], and an exhaustive list of the attributes with their properties. In a nutshell, the preprocessed dataset contains 5, 714, 738 entries (comprising identical fingerprints for a given browser if interleaved 18 ) and 4, 145, 408 fingerprints (no identical fingerprint counted for the same browser), that are collected from 1, 989, 366 browsers.…”

Section: Fingerprint Datasetmentioning

confidence: 99%

“…Initially used to track users on the web, browser fingerprinting has recently been identified as a promising authentication factor [3,4,43,53,54,58]. It consists into collecting the values of attributes from a web browser (e.g., the UserAgent HTTP header [47], the screen resolution, the way it draws a picture [38]) to build a fingerprint.…”

Section: Introductionmentioning

confidence: 99%

“…These are limited by the available items or instructions, which can be large (e.g., more than 2 154 for the canvas [31], nearly 30 thousand detectable extensions [27]). 4 We emphasize that the candidate attributes can contain dynamic attributes, which can be used to implement challenge-response mechanisms that resist fingerprint replay attacks [31,46]. We study nine instances of three dynamic attributes, which are the HTML5 canvas [12], the WebGL canvas [38], and audio fingerprinting methods [45].…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

FPSelect: Low-Cost Browser Fingerprints for Mitigating Dictionary Attacks against Web Authentication Mechanisms

Andriamilanto

Allard

Guelvouit³

2020

Annual Computer Security Applications Conference

Self Cite

View full text Add to dashboard Cite

Browser fingerprinting consists into collecting attributes from a web browser. Hundreds of attributes have been discovered through the years. Each one of them provides a way to distinguish browsers, but also comes with a usability cost (e.g., additional collection time). In this work, we propose FPSelect, an attribute selection framework allowing verifiers to tune their browser fingerprinting probes for web authentication. We formalize the problem as searching for the attribute set that satisfies a security requirement and minimizes the usability cost. The security is measured as the proportion of impersonated users given a fingerprinting probe, a user population, and an attacker that knows the exact fingerprint distribution among the user population. The usability is quantified by the collection time of browser fingerprints, their size, and their instability. We compare our framework with common baselines, based on a real-life fingerprint dataset, and find out that in our experimental settings, our framework selects attribute sets of lower usability cost. Compared to the baselines, the attribute sets found by FPSelect generate fingerprints that are up to 97 times smaller, are collected up to 3, 361 times faster, and with up to 7.2 times less changing attributes between two observations, on average.

show abstract

Section: Authentication Mechanismmentioning

confidence: 99%

Section: Fingerprint Datasetmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

FPSelect: Low-Cost Browser Fingerprints for Mitigating Dictionary Attacks against Web Authentication Mechanisms

Andriamilanto

Allard

Guelvouit³

2020

Annual Computer Security Applications Conference

Self Cite

View full text Add to dashboard Cite

show abstract

“…(4) We enrich our results with (1) a precise analysis of the contribution of each attribute (a) to the distinctiveness, and show that 10% of the attributes provide a normalized entropy higher than 0.25, (b) to the stability, and show that 85% of the attributes stay identical for 99% of the consecutive fingerprints coming from the same browser, (c) to the collection time, and show that only 33 attributes take more than 5ms to collect, (d) to the fingerprint size, and show that only 20 attributes weigh more than 100 bytes, (2) a discussion about the correlation of the attributes, and show that only 49 attributes can completely be inferred when knowing another attribute, (3) a focus on the properties of the nine dynamic attributes. (5) We provide an in-depth description of our methodology and our dataset with the goal of making our results reproducible. In particular, we include an exhaustive list of the collected attributes together with their properties, and a detailed description of the preprocessing of the fingerprints.…”

Section: Introductionmentioning

confidence: 99%

A Large-scale Empirical Analysis of Browser Fingerprints Properties for Web Authentication

Andriamilanto,

Allard,

Guelvouit

et al. 2020

Preprint

Self Cite

View full text Add to dashboard Cite

Modern browsers give access to several attributes that can be collected to form a browser fingerprint. Although browser fingerprints have primarily been studied as a web tracking tool, they can contribute to improve the current state of web security by augmenting web authentication mechanisms. In this paper, we investigate the adequacy of browser fingerprints for web authentication. We make the link between the digital fingerprints that distinguish browsers, and the biological fingerprints that distinguish Humans, to evaluate browser fingerprints according to properties inspired by biometric authentication factors. These properties include their distinctiveness, their stability through time, their collection time, their size, and the accuracy of a simple verification mechanism. We assess these properties on a large-scale dataset of 4, 145, 408 fingerprints composed of 216 attributes, and collected from 1, 989, 365 browsers. We show that, by time-partitioning our dataset, more than 81.3% of our fingerprints are shared by a single browser. Although browser fingerprints are known to evolve, an average of 91% of the attributes of our fingerprints stay identical between two observations, even when separated by nearly 6 months. About their performance, we show that our fingerprints weigh a dozen of kilobytes, and take a few seconds to collect. Finally, by processing a simple verification mechanism, we show that it achieves an equal error rate of 0.61%. We enrich our results with the analysis of the correlation between the attributes, and of their contribution to the evaluated properties. We conclude that our browser fingerprints carry the promise to strengthen web authentication mechanisms.

show abstract

AuthGuide: Analyzing Security, Privacy and Usability Trade-Offs in Multi-factor Authentication

Preuveneers

Joos

Joosen

2021

Trust, Privacy and Security in Digital Business

View full text Add to dashboard Cite

Multi-factor authentication (MFA) reduces the risk of compromised credentials. However, selecting, configuring and combining different authentication factors is a challenge for both security administrators and end-users, as the configuration possibilities are large and the implications of choices on security, privacy and usability are not always well understood. This concern is further aggravated when the security administrator grants the end-user some flexibility for the selection of authentication factors, or when the latter are combined in a risk-adaptive manner. In this work, we present AuthGuide, an authentication knowledge and configuration framework that increases the awareness about these trade-offs. Additionally, it raises the level of abstraction to configure MFA for a given identity and access management (IAM) platform through a series of questions by mapping the responses onto the IAM's workflow of authentication steps for registration and login. We implemented AuthGuide, validated it on top of the open source Keycloak IAM, and evaluated the effectiveness of our framework to analyze the security, privacy and usability trade-offs.

show abstract

“Guess Who?” Large-Scale Data-Centric Study of the Adequacy of Browser Fingerprints for Web Authentication

Cited by 11 publications

References 14 publications

FPSelect: Low-Cost Browser Fingerprints for Mitigating Dictionary Attacks against Web Authentication Mechanisms

FPSelect: Low-Cost Browser Fingerprints for Mitigating Dictionary Attacks against Web Authentication Mechanisms

A Large-scale Empirical Analysis of Browser Fingerprints Properties for Web Authentication

AuthGuide: Analyzing Security, Privacy and Usability Trade-Offs in Multi-factor Authentication

Contact Info

Product

Resources

About