Audio Cast:

Takeaway Points:

• We have covered authentication in several other episodes - so take a look at:

  • 31: What is continuous authentication?

  • 29: What is Session Management?

  • 25: What is a OTP?

  • 23: What is FIDO?

  • 22: A Primer on Biometric Authentication?

  • 10: What is SSO?

  • 6b: What is the Market for Hardware Authenticators?

  • 6a: What's The Market for Software Authenticators?

  • 6: What is Authentication?

• When we authenticate we do typically do so via a device - be a mobile, laptop or other.

• Each device has some unique characteristics that can be used during the login event to help improve the security and risk decision making of the access management solution

• A device fingerprint essentially looks to capture knowledge about the device.

• Depending on the device type, the way this information is capture varies - as does of course the values

• Laptop and desktop authentication typically takes place via a browser - and Javascript is used to capture device knowledge.

• This will include data such as browser version, locale, user-agent, installed fonts and so on. Open source JS libraries such as FingerprintJS assist here.

• The output of this querying can be converted into a hash - a unique one way privacy preserving crypto function that is a shortened presentation of what was collected. This can then be stored against the user’s profile as a “known” device for example.

• The hash value can be recalculated during every subsequent login event to see if the device has changed - which may indicate stolen credentials - or of course a new legitimate device

• Note also, that small changes on a legitimate device may impact the hash value - such as a browser update, or going from Chrome to Firefox.

• On mobile devices, the native SDK for Android and Apple can provide more detailed information that could relate to OS versions, app installs, jail break status and so on. But the principle is the same - a hash value of this information can be created and stored

• The main idea is to “bind” the user event to the same device - then check for differences either during future login events, or access control / policy enforcement point checks to see if session theft may have taken place - which indicates the device presenting a token or cookie is not the same device used during login

• Fingerprinting is not fool proof and can be spoofed. Privacy and tracking concerns from end users are also common

Arrange Training