Smarter Security with Device Fingerprints

This blog post was first published @ http://identityrocks.blogspot.fr/, included here with permission.

Smarter security also means user friendly security, moving security beyond compromising convenience.

Multi-factor authentication has many benefits. Going through multiple factors multiple times in a same day from the same device, makes users grumble, especially when working at the office all day. Security can be smarter than that.

It happens to be that web browsers in the hand of individual users develop an increasing level of uniqueness based on a combination of parameters such as browser type, installed fonts and plugins, resolution and colour depth, timezone, preferred language, and even geolocation. All these elements (and potentially others) combined represent the browser fingerprint.

So the user who has already authenticated in the morning using username, password and SMS passcode as a 2nd factor comes back from lunch. A more convenient single factor authentication (username and password) can often be suitable if the user is using from the same device. In reality, users authenticate more often than that against the same system the same day.

The National Institute of Standards and Technology (NIST) researched the friction and disruption created by authentication. It concludes that any authentication task that requires time and effort on the part of the user creates a “wall of disruption” that impedes the performance of primary tasks, even when there are no problems [1].

Besides implementing SSO, device fingerprints are a compelling asset to lower the “wall of disruption.” ForgeRock’s identity platform provides this functionality right out of the box (since OpenAM 12). On top, browser fingerprint collection, matching and storing can be customized and extended. The functionality is part of the commercial and open source, as smart security software should be.

As privacy is built into ForgeRock’s DNA and products, device fingerprints are stored with user consent and the user can view and delete them anytime.

Device Fingerprints in the Authentication Process

OpenAM provides two authentication modules to support device or browser fingerprint. First, the “Device ID (Match)”  module, which invokes the collection of the fingerprint via JavaScript (executed in the user’s web browser), compares the collected fingerprint with stored fingerprints and determines if the device can be considered as known. And second the  “Device ID (Save)” module, which stores, if appropriate, the newly collected fingerprint in the data store.

Device fingerprint authentication is used in combination with other authentication modules with the goal to spare users multiple factors of authentication. Typically users are challenged with a first factor like username password. Only if this succeeds will the fingerprint then be collected and compared with stored fingerprints. If the device is not “known,” the user will face a second factor of authentication like one-time-password via SMS. Only after the second factor succeeded, and upon user consent, will the fingerprint then be stored. If however the device is “known,” no further processing is necessary and user authentication succeeded.

The OpenAM Admin Guide has a bunch of further hints on how to chain the device ID modules with other modules [2].

Privacy and Consent

Before storing a device fingerprint, the user is asked for consent. If a user does not decide to store browser fingerprints, then the device fingerprint modules have no effect and the authentication continues as defined in the authentication chain. Stored browser fingerprints can be managed as “Trusted Devices” by the enduser through the enduser dashboard. By default, device fingerprints have a lifetime of 30 days.

Inside the Device Fingerprint Module

The “DeviceID (Match)” module stores the collected fingerprint in the shared state memory element of the authentication modules (key is devicePrintProfile). This value is picked up by the “DeviceID (Save)” module (if the process gets that far)  from the shared state and then stored in the data store.
Browser fingerprints are stored in the user datastore. For instance, with the embedded store (by default) in the multi-valued attribute devicePrintProfiles in the following form (“pretty printed”):

{
  "lastSelectedDate": 1437623008779,
  "devicePrint": {
    "screen": {
      "screenWidth": 1440,
      "screenHeight": 900,
      "screenColourDepth": 24
    },
    "timezone": {
      "timezone": -120
    },
    "plugins": {
      "installedPlugins": "widevinecdmadapter.plugin;mhjfbmdgcfjbbpaeojofohoefgiehjai;PepperFlashPlayer.plugin;internal-remoting-viewer;internal-nacl-plugin;internal-pdf-viewer;"
    },
    "fonts": {
      "installedFonts": "cursive;monospace;serif;sans-serif;fantasy;default;Arial;Arial Black;Arial Narrow;Arial Rounded MT Bold;Comic Sans MS;Courier;Courier New;Georgia;Impact;Papyrus;Tahoma;Times;Times New Roman;Trebuchet MS;Verdana;"
    },
    "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36",
    "appName": "Netscape",
    "appCodeName": "Mozilla",
    "appVersion": "5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36",
    "platform": "MacIntel",
    "product": "Gecko",
    "productSub": "20030107",
    "vendor": "Google Inc.",
    "language": "en-US",
    "geolocation": {
      
    }
  },
  "name": "MacBookChrome",
  "selectionCounter": 1,
  "uuid": "a85e66e4-5de3-4795-be43-7159e9590cbb"
}

As mentioned before, the collection and matching can be extended and customised.

Further Reading

The Electronic Frontier Foundation published an interesting article “How Unique Is Your Web  Browser?”  in which, amongst other topics, research on diversity and stability of browser fingerprints is exposed. It concludes :

“Browser fingerprinting is a powerful technique, and fingerprints must be considered alongside cookies, IP addresses and supercookies when we discuss web privacy and user trackability. Although fingerprints turn out not to be particularly stable, browsers reveal so much version and configuration information that they remain overwhelmingly trackable. There are implications both for privacy policy and technical design. Policymakers should start treating fingerprintable records as potentially personally identifiable, and set limits on the durations for which they can be associated with identities and sensitive logs like clickstreams and search terms.” [3]  Note that the default device fingerprint authentication modules support expiration of fingerprints.

Further research on the topic of browser fingerprinting shows alternative ways to compute a fingerprint. For instance, using HTML5 <canvas> elements [4] – and ways for users to circumvent fingerprinting, if they desire. The ForgeRock Identity Platform can cater to both methodologies, as it is open and extensible and honors privacy.

References

[1] Steves, M; Chisnell, D; Sasse, A; Krol, K; Theofanos, M; Wald, H; (2014) Report: Authentication Diary Study. (NIST Interagency or Internal Reports (NISTIR) NIST IR 7983 ). <http://dx.doi.org/10.6028/NIST.IR.7983>
[2] Goldsmith, David; Hirayama, Gene: Lee, Chris, et al. OpenAM Administration Guide, Version 12.0.0. ForgeRock, AS., December 17, 2014. August 28, 2015. <http://docs.forgerock.org/en/openam/12.0.0/admin-guide/index/chap-auth-services.html#device-id-match-hints>
[3] Eckersley, Peter; How Unique Is Your Web Browser? Electronic Frontier Foundation, 2010 <https://panopticlick.eff.org/browser-uniqueness.pdf>
[4] Mowery, Keaton and Shacham Hovav. Pixel Perfect: Fingerprinting Canvas in HTML5.  <http://w2spconf.com/2012/papers/w2sp12-final4.pdf>
[5] Wikipedia contributors. Device fingerprint. Wikipedia, The Free Encyclopedia. Wikipedia, The Free Encyclopedia, 27 Jul. 2015. Web. 28 Aug. 2015.

By Joachim Andres