This document discusses how browser fingerprinting can be used as a factor in multi-factor authentication. It explains that authentication is based on probability, not a binary yes/no. Using multiple authentication factors like something you know (password), something you have (browser), and something you are (biometrics) multiplies the probabilities of each being incorrect, making the overall authentication more secure. The document proposes that a user's unique browser configuration determined via fingerprinting could serve as an additional authentication factor, improving security without additional hardware costs. Objections about fingerprint or browser changes are addressed.

1. The role of Browser Fingerprinting in
Two Factor Authentication
Bart Decuypere
(decuypeb_at_gmail.com)

2. Authentication: a binary fact?
•
•
•
•
Password correct -> Yes/No
OTP correct -> Yes/No
Certificate Valid -> Yes/No
But: Authentication methods are not infallible
– Password hacked
– Digipass/SmartCard stolen
• Authentication is only for a certain % correct
– (viz. If the method is not corrupted)
• Authentication is a probability!

3. How can this be improved?
• Multi-Factor authentication!
– Knows
– Has
– Is
• What happens theoretically?
– We multiply the P(is_not(X))
– P(password_is_corrupt)*P(smart_card_is_stolen)
– (fiction) 0,01 * 0,001 = 0,00001 (very small probability
that someone is not who he claims to be)

4. What is browser fingerprinting?
• Collect characteristics of browser
• Calculate entropy to see whether this
configuration is unique (enough)... -> this is a
probability P(unique)
• If config is unique, we can track the user...
• We can use the browser config as a factor in
multifactor authentication!
– Something the user has!

5. Objections (What if...?)
• ... the profile is not unique enough
– Add a factor (e.g. password)
– Forward transaction to another device/browser
• ... the browser is taken over by a hacker (MITM)
– Maybe we can see it in the profile?
– Browser is only one factor, there are other factors.
– You can add factors (dynamically until you are certain
enough)
• ... the browser fingerprint changes (due to upgrade,
plugins, ...)
– Use algorithms to map before and after... (this is also
probability, and might cause an extra factor to be used)

6. New use cases
• As a browser is an extra factor:
– Splitting a transaction over two browsers is more
secure than only using one browser
– Password and browser are two factors
– Each device with a browser can be a 2nd factor
• Smart phone, tablet, other pc...
– 2nd factor devices come at no additional cost

7. General rule: it’s only multiplying
probabilities
• Determine beforehand your level of certainty
• Use as many factors as you need to obtain
that certainty
– Password
– Browser fingerprint
– Device fingerprint
– Smartcard
• Authentication is not binary! It’s a probability!