SWAT: Seamless Web Authentication Technology

Rochet, Florentin; Efthymiadis, Kyriakos; Koeune, FranÃ§ois; Pereira, Olivier

doi:10.1145/3308558.3313637

Cited by 13 publications

(13 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Vastel et al [33] mention that this technique is already used by websites to block bots. About multifactor authentication, several approaches focused on increasing web session security with browser fingerprinting [29,2,27,15]. However, these studies only cover the methodology and implementation steps, but fail to evaluate their effectiveness in production.…”

Section: Browser Fingerprintingmentioning

confidence: 99%

FP-Redemption: Studying Browser Fingerprinting Adoption for the Sake of Web Security

Durey

Laperdrix

Rudametkin

et al. 2021

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Browser fingerprinting has established itself as a stateless technique to identify users on the Web. In particular, it is a highly criticized technique to track users. However, we believe that this identification technique can serve more virtuous purposes, such as bot detection or multi-factor authentication. In this paper, we explore the adoption of browser fingerprinting for security-oriented purposes. More specifically, we study 4 types of web pages that require security mechanisms to process user data: sign-up, sign-in, basket and payment pages. We visited 1, 485 pages on 446 domains and we identified the acquisition of browser fingerprints from 405 pages. By using an existing classification technique, we identified 169 distinct browser fingerprinting scripts included in these pages. By investigating the origins of the browser fingerprinting scripts, we identified 12 security-oriented organizations who collect browser fingerprints on sign-up, sign-in, and payment pages. Finally, we assess the effectiveness of browser fingerprinting against two potential attacks, namely stolen credentials and cookie hijacking. We observe browser fingerprinting being successfully used to enhance web security.

show abstract

Section: Browser Fingerprintingmentioning

confidence: 99%

FP-Redemption: Studying Browser Fingerprinting Adoption for the Sake of Web Security

Durey

Laperdrix

Rudametkin

et al. 2021

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…HTML5 canvas [10], audio fingerprinting [36]). Later on, these attributes were integrated within challenge-response mechanisms [26,38] that mitigate replay attacks. We call these attributes the dynamic attributes, and include nine of them in our script: five HTML5 canvases, three audio fingerprinting methods, and a WebGL canvas.…”

Section: Focus On Dynamic Attributesmentioning

confidence: 99%

“…However, to the best of our knowledge, no large-scale study rigorously evaluates the adequacy of browser fingerprints as an additional web authentication factor. On the one hand, most works about the use of browser fingerprints for authentication concentrate on the design of the authentication mechanism [17,26,34,38,43,47]. On the other hand, the large-scale empirical studies on browser fingerprints focus on their effectiveness as a web tracking tool [13,19,29,35].…”

Section: Introductionmentioning

confidence: 99%

“…In particular, our dataset includes nine dynamic attributes of three types, which values depend on instructions provided by the fingerprinter: five HTML5 canvases [10], three audio fingerprinting methods [36], and a WebGL canvas [33]. The dynamic attributes are used within state-of-the-art web authentication mechanisms to mitigate replay attacks [26,38]. Each dynamic attribute has been studied singularly, but their fundamental properties have not yet been studied simultaneously on the same browser population.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

A Large-scale Empirical Analysis of Browser Fingerprints Properties for Web Authentication

Andriamilanto,

Allard,

Guelvouit

et al. 2020

Preprint

View full text Add to dashboard Cite

Modern browsers give access to several attributes that can be collected to form a browser fingerprint. Although browser fingerprints have primarily been studied as a web tracking tool, they can contribute to improve the current state of web security by augmenting web authentication mechanisms. In this paper, we investigate the adequacy of browser fingerprints for web authentication. We make the link between the digital fingerprints that distinguish browsers, and the biological fingerprints that distinguish Humans, to evaluate browser fingerprints according to properties inspired by biometric authentication factors. These properties include their distinctiveness, their stability through time, their collection time, their size, and the accuracy of a simple verification mechanism. We assess these properties on a large-scale dataset of 4, 145, 408 fingerprints composed of 216 attributes, and collected from 1, 989, 365 browsers. We show that, by time-partitioning our dataset, more than 81.3% of our fingerprints are shared by a single browser. Although browser fingerprints are known to evolve, an average of 91% of the attributes of our fingerprints stay identical between two observations, even when separated by nearly 6 months. About their performance, we show that our fingerprints weigh a dozen of kilobytes, and take a few seconds to collect. Finally, by processing a simple verification mechanism, we show that it achieves an equal error rate of 0.61%. We enrich our results with the analysis of the correlation between the attributes, and of their contribution to the evaluated properties. We conclude that our browser fingerprints carry the promise to strengthen web authentication mechanisms.

show abstract

“…These are limited by the available items or instructions, which can be large (e.g., more than 2 154 for the canvas [31], nearly 30 thousand detectable extensions [27]). 4 We emphasize that the candidate attributes can contain dynamic attributes, which can be used to implement challenge-response mechanisms that resist fingerprint replay attacks [31,46]. We study nine instances of three dynamic attributes, which are the HTML5 canvas [12], the WebGL canvas [38], and audio fingerprinting methods [45].…”

Section: Introductionmentioning

confidence: 99%

FPSelect: Low-Cost Browser Fingerprints for Mitigating Dictionary Attacks against Web Authentication Mechanisms

Andriamilanto

Allard

Guelvouit³

2020

Annual Computer Security Applications Conference

View full text Add to dashboard Cite

Browser fingerprinting consists into collecting attributes from a web browser. Hundreds of attributes have been discovered through the years. Each one of them provides a way to distinguish browsers, but also comes with a usability cost (e.g., additional collection time). In this work, we propose FPSelect, an attribute selection framework allowing verifiers to tune their browser fingerprinting probes for web authentication. We formalize the problem as searching for the attribute set that satisfies a security requirement and minimizes the usability cost. The security is measured as the proportion of impersonated users given a fingerprinting probe, a user population, and an attacker that knows the exact fingerprint distribution among the user population. The usability is quantified by the collection time of browser fingerprints, their size, and their instability. We compare our framework with common baselines, based on a real-life fingerprint dataset, and find out that in our experimental settings, our framework selects attribute sets of lower usability cost. Compared to the baselines, the attribute sets found by FPSelect generate fingerprints that are up to 97 times smaller, are collected up to 3, 361 times faster, and with up to 7.2 times less changing attributes between two observations, on average.

show abstract

SWAT: Seamless Web Authentication Technology

Cited by 13 publications

References 16 publications

FP-Redemption: Studying Browser Fingerprinting Adoption for the Sake of Web Security

FP-Redemption: Studying Browser Fingerprinting Adoption for the Sake of Web Security

A Large-scale Empirical Analysis of Browser Fingerprints Properties for Web Authentication

FPSelect: Low-Cost Browser Fingerprints for Mitigating Dictionary Attacks against Web Authentication Mechanisms

Contact Info

Product

Resources

About