The role of Browser Fingerprinting in
Two Factor Authentication
Bart Decuypere
(decuypeb_at_gmail.com)
Authentication: a binary fact?
•
•
•
•

Password correct -> Yes/No
OTP correct -> Yes/No
Certificate Valid -> Yes/No
But: ...
How can this be improved?
• Multi-Factor authentication!
– Knows
– Has
– Is

• What happens theoretically?
– We multiply t...
What is browser fingerprinting?
• Collect characteristics of browser
• Calculate entropy to see whether this
configuration...
Objections (What if...?)
• ... the profile is not unique enough
– Add a factor (e.g. password)
– Forward transaction to an...
New use cases
• As a browser is an extra factor:
– Splitting a transaction over two browsers is more
secure than only usin...
General rule: it’s only multiplying
probabilities
• Determine beforehand your level of certainty
• Use as many factors as ...
Upcoming SlideShare
Loading in …5
×

The role of browser fingerprinting in two factor2

202 views

Published on

Quick thoughts about the role of browser fingerprinting in multifactor authentication

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
202
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

The role of browser fingerprinting in two factor2

  1. 1. The role of Browser Fingerprinting in Two Factor Authentication Bart Decuypere (decuypeb_at_gmail.com)
  2. 2. Authentication: a binary fact? • • • • Password correct -> Yes/No OTP correct -> Yes/No Certificate Valid -> Yes/No But: Authentication methods are not infallible – Password hacked – Digipass/SmartCard stolen • Authentication is only for a certain % correct – (viz. If the method is not corrupted) • Authentication is a probability!
  3. 3. How can this be improved? • Multi-Factor authentication! – Knows – Has – Is • What happens theoretically? – We multiply the P(is_not(X)) – P(password_is_corrupt)*P(smart_card_is_stolen) – (fiction) 0,01 * 0,001 = 0,00001 (very small probability that someone is not who he claims to be)
  4. 4. What is browser fingerprinting? • Collect characteristics of browser • Calculate entropy to see whether this configuration is unique (enough)... -> this is a probability P(unique) • If config is unique, we can track the user... • We can use the browser config as a factor in multifactor authentication! – Something the user has!
  5. 5. Objections (What if...?) • ... the profile is not unique enough – Add a factor (e.g. password) – Forward transaction to another device/browser • ... the browser is taken over by a hacker (MITM) – Maybe we can see it in the profile? – Browser is only one factor, there are other factors. – You can add factors (dynamically until you are certain enough) • ... the browser fingerprint changes (due to upgrade, plugins, ...) – Use algorithms to map before and after... (this is also probability, and might cause an extra factor to be used)
  6. 6. New use cases • As a browser is an extra factor: – Splitting a transaction over two browsers is more secure than only using one browser – Password and browser are two factors – Each device with a browser can be a 2nd factor • Smart phone, tablet, other pc... – 2nd factor devices come at no additional cost
  7. 7. General rule: it’s only multiplying probabilities • Determine beforehand your level of certainty • Use as many factors as you need to obtain that certainty – Password – Browser fingerprint – Device fingerprint – Smartcard • Authentication is not binary! It’s a probability!

×