The role of Browser Fingerprinting in
Two Factor Authentication
Authentication: a binary fact?
Password correct -> Yes/No
OTP correct -> Yes/No
Certificate Valid -> Yes/No
But: Authentication methods are not infallible
– Password hacked
– Digipass/SmartCard stolen
• Authentication is only for a certain % correct
– (viz. If the method is not corrupted)
• Authentication is a probability!
How can this be improved?
• Multi-Factor authentication!
• What happens theoretically?
– We multiply the P(is_not(X))
– (fiction) 0,01 * 0,001 = 0,00001 (very small probability
that someone is not who he claims to be)
What is browser fingerprinting?
• Collect characteristics of browser
• Calculate entropy to see whether this
configuration is unique (enough)... -> this is a
• If config is unique, we can track the user...
• We can use the browser config as a factor in
– Something the user has!
Objections (What if...?)
• ... the profile is not unique enough
– Add a factor (e.g. password)
– Forward transaction to another device/browser
• ... the browser is taken over by a hacker (MITM)
– Maybe we can see it in the profile?
– Browser is only one factor, there are other factors.
– You can add factors (dynamically until you are certain
• ... the browser fingerprint changes (due to upgrade,
– Use algorithms to map before and after... (this is also
probability, and might cause an extra factor to be used)
New use cases
• As a browser is an extra factor:
– Splitting a transaction over two browsers is more
secure than only using one browser
– Password and browser are two factors
– Each device with a browser can be a 2nd factor
• Smart phone, tablet, other pc...
– 2nd factor devices come at no additional cost
General rule: it’s only multiplying
• Determine beforehand your level of certainty
• Use as many factors as you need to obtain
– Browser fingerprint
– Device fingerprint
• Authentication is not binary! It’s a probability!