"Guess Who ?" Large-Scale Data-Centric Study of the Adequacy of Browser Fingerprints for Web Authentication

Browser fingerprinting consists in collecting attributes from a web browser to build a browser fingerprint. In this work, we assess the adequacy of browser fingerprints as an authentication factor, on a dataset of 4, 145, 408 fingerprints composed of 216 attributes. It was collected throughout 6 months from a population of general browsers. We identify, formalize, and assess the properties for browser fingerprints to be usable and practical as an authentication factor. We notably evaluate their distinctiveness, their stability through time, their collection time, and their size in memory. We show that considering a large surface of 216 fingerprinting attributes leads to an unicity rate of 81% on a population of 1, 989, 365 browsers. Moreover, browser fingerprints are known to evolve, but we observe that between consecutive fingerprints, more than 90% of the attributes remain unchanged after nearly 6 months. Fingerprints are also affordable. On average, they weigh a dozen of kilobytes, and are collected in a few seconds. We conclude that browser fingerprints are a promising additional web authentication factor.

[1]  Wouter Joosen,et al.  Mobile device fingerprinting considered harmful for risk-based authentication , 2015, EUROSEC.

[2]  Benoit Baudry,et al.  Hiding in the Crowd: an Analysis of the Effectiveness of Browser Fingerprinting at Large Scale , 2018, WWW.

[3]  Gang Wang,et al.  The Next Domino to Fall: Empirical Analysis of User Passwords across Online Services , 2018, CODASPY.

[4]  François Koeune,et al.  SWAT: Seamless Web Authentication Technology , 2019, WWW.

[5]  Walter Rudametkin,et al.  Beauty and the Beast: Diverting Modern Web Browsers to Build Unique Browser Fingerprints , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[6]  Joseph Bonneau,et al.  The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords , 2012, 2012 IEEE Symposium on Security and Privacy.

[7]  Arvind Narayanan,et al.  Online Tracking: A 1-million-site Measurement and Analysis , 2016, CCS.

[8]  Wouter Joosen,et al.  SmartAuth: dynamic context fingerprinting for continuous user authentication , 2015, SAC.

[9]  Peter Eckersley,et al.  How Unique Is Your Web Browser? , 2010, Privacy Enhancing Technologies.

[10]  Edgar R. Weippl,et al.  SHPF: Enhancing HTTP(S) Session Security with Browser Fingerprinting , 2013, 2013 International Conference on Availability, Reliability and Security.

[11]  Frank Stajano,et al.  Passwords and the evolution of imperfect authentication , 2015, Commun. ACM.

[12]  Vern Paxson,et al.  Data Breaches, Phishing, or Malware?: Understanding the Risks of Stolen Credentials , 2017, CCS.

[13]  Gildas Avoine,et al.  Morellian Analysis for Browsers: Making Web Authentication Stronger with Canvas Fingerprinting , 2019, DIMVA.

[14]  Hovav Shacham,et al.  Pixel Perfect : Fingerprinting Canvas in HTML 5 , 2012 .

[15]  Anil K. Jain,et al.  Handbook of Fingerprint Recognition , 2005, Springer Professional Computing.