2

Is it a good Idea to identify if the user logging in is the actual user who created the account by using Browser fingerprinting?

Basically do a bunch of checks just as they click sign in and if it doesn't match like 80% of all of the data then ask for some 2FA stuff.

I'm assuming this is similar to what Google does, they legally collect this data from you and update it whenever you're signed in.

Wondering if it's secure enough or is there a better way to identify users when they login? Because doing it via IP address isn't safe enough, same goes for user agent too, I got referred to browser fingerprinting but know little about it's security and want to know from experts.

Samuel Stubbings
  • 21
  • 2
  • 1
    Wouldn't a cookie do exactly the same thing? – schroeder Jul 16 '18 at 18:46
  • I regularly use more than one computer for browsing the internet. Will I be blocked from the service in question? – Marcel Jul 17 '18 at 05:34
  • It depends, if most of the checks are validated, then yes, but ones that won't be will be your Cookies, User agent, etc but the ones mentioned below, most will pass since the IP is matching etc. For the most part I'd say yes, it's better to have security than to worry about the people who use multiple computers since all they'd have to do is get a confirmation code. – Samuel Stubbings Jul 19 '18 at 07:53

1 Answers1

2

This is a particularly user-friendly method for easier login from a "recognised" device. All of the options below apply together. E.g. user agent alone is not secure, but combine with IP address it's stronger. This would normally use:

  • User agent data (including screen resolution)
  • Timezone
  • Time check from IP address location and system time
  • Cookies
  • Is WebRTC enabled?
  • Does IP address and DNS server match?
  • Is JavaScript enabled?
  • Does the IP address have open ports? (for known proxies or VPNs)
  • Does the OS and Browser OS user agent data match?
  • Is the IP address residential or from a data center?

WhatLeaks covers most of these.

This method is implemented via PayPal and works quite well. You should be able to authenticate and login to PayPal, log out and attempt to log in again, you should not cause an email for unusual activity now. If this is the case, copy your browser user agent and cookies. Then place them onto another computer. You should not cause an email for "unusual activity". Like you said about "80%" matching, this can be applied here, if too many changes then, unusual activity email or SMS.

Is this method secure? Possibly, it does provide better protection than without and does stop most attackers. However, some become lackadaisical, treating it like a silver bullet, and then use weaker passwords, or opt-out of 2FA.

safesploit
  • 1,827
  • 8
  • 18