Customer Experience Identity Risk Tech

Enriching Identity Journeys With Device Fingerprinting

Marcin Zimny24/04/2023

Cookies are great, but we do have a love – hate relationship with them. We don’t want to be tracked, but we do want great customer experience. Third party cookies are on a brink of their demise, with Google promising Chrome will stop supporting them in Q3 2023. Regulators keep us in check making us ask for consent (which isn’t liked by either developers or consumers), but because security and privacy is a living, breathing beast we have some work to do. Enter device fingerprint. It’s a form of a digital signature, not a PII (Personally Identifiable Information), you may say. But watch this space, because I see it replacing tracking cookies sooner than later. If you want to stay on the safe side and you’re using device fingerprint today – treat it as if it was a PII. It’s likely GDPR and similar privacy regulations will call them out specifically in near future.

Device

Well, I always say the devil is in the detail, so let’s get on the same page here. By device, we don’t mean a laptop, a mobile phone or a tablet. That classification is way too wide. What we normally mean is a browser in a device. And because I am usually that awkward guy in the room (there’s always one), I’ll make it even more precise. Device fingerprint really means an instance of a browser in a device. If you have multiple Chrome profiles or multiple versions of Firefox installed, each will be delivering a different fingerprint.

The Battle for Confidence Level

Here’s the problem. The browser vendors try to protect our privacy as much as they can by limiting what the applications can learn about us ‘for free’. That unfortunately comes in a way of accurate device fingerprinting. A classic JavaScript that delivers the signature has a fairly low confidence level of around 40-50%. It means that statistically speaking 5 in 10 devices may deliver the same fingerprint. It’s still useful if we want to differentiate one’s devices – for example a laptop from a mobile from a tablet, but it’s too low when it comes to identifying devices across the users. Pair it with IP address and we breathe another lease of life into the low confidence score fingerprint, but it’s fragile regardless. For example if you are using two monitors with different resolutions and move the browser window from one to another, that usually means a different fingerprint.

What’s the significance of the high cardinality of the fingerprint? Well, it’s not a competition who is more accurate, it’s the aftermath of using low confidence score fingerprints – false positives. And in principle – a lot of them. You are trying to make the user experience better but actually you’re making it worse! There are times where you actually wouldn’t want to use low score prints for that reason.

There are however services on the market that allow you to combine AI/ML and some clever fingerprinting techniques (similar to TEMPEST techniques and filtering out signals with minute frequency differences) to deliver a high confidence score signatures, for example tracking time of calculation of a complex math challenge.

As I mentioned many times before I am not associated (apart from my employer) with any of the vendors I mention in my blog, so please forgive me for giving an example and bringing fingerprint.com into the picture. It comes in two flavours – free and pro.

The pro version allows for an average of 99.5% confidence level on the second fingerprint attempt onwards. Tamper with user agent – same print, change resolution – same print, launch privacy mode – same print (and you know it’s private mode as a bonus), switch IP address – same print, minor upgrade of the browser – same print. And you can consume it for free (developer) until you are talking scale (>20k requests per month), which is why it was such a perfect match for me.

 

Same Fingerprint Across Different Browsers

This one is going to be very short. Without external software running on the device (outside of the browser) – not possible. Don’t waste your time on looking for fingerprinting solution. If you do and find one, please let me know!

Example Use Cases

No one in the right state of mind will use fingerprinting solely for authentication. Even those who accept 99.5% confidence level will likely deem 0.5% too big for a possible collision. So let’s have a look where fingerprint adds value to identity journeys.

Know Your Device (KYD)

In the era of fraud and account takeover, I may want to know what devices I am logging in from. If I only use a laptop and a mobile, seeing 3 different devices or more, raises red flags. We can associate the fingerprints and even get more information about the devices from the browsers and keep them in the user’s profile, giving the visibility of what devices are used by an individual. This is fairly common for video steaming services as it goes hand in hand with the licensing model (you can only stream on limited number of devices). This particular use case does not require a high confidence score and 50% is perhaps more than enough.

Usernameless Experience

Classic approach is to drop a cookie and use it to identify a user or include it in the WebAuthN challenge (which is also dependent on the cookie). In a retail space (for example Amazon), we identify a user by the cookie, let the customer shop, put stuff into the basket and then ask for password when they check out. That’s great customer experience, but it doesn’t survive clearing the cookies or operating in private modes where cookies are not persisted on the drive.

Another example – imagine a paswordless flow based on Passkeys. They don’t rely on cookies anymore and you can authenticate to a browser using your phone. If we fingerprint the browser after we ask the visitor for the username and save it against their profile, that may well be the last time we ask for the username on that ‘device’. It cannot be a shared device of course, but we can ask the user if they want to use usernameless mode and if the device is private. The experience? I can launch my browser (even in private mode) and I am immediately recognised as Marcin and all I need to do is finish the login either using the password (hopefully not!) or the FIDO2 compliant Passkey!

Unknown to Known Path

One of the customer experience ‘things’ is a conversion from a guest to a registered user. Sounds bizarre, so let’s quickly clarify what it means. You visit the webpage for the first time. Say an online retailer. You don’t want to disclose any information about you, like your name, email address or a phone number. You do however want to play around, put various things into the basket or configure the look and feel of the online application. Few days later, you come back and just want to checkout, but you expect the basket still to be there. And the preferences. And the look and feel. But if we solely use cookies for it, we may loose all of the above. If we use the device fingerprint instead, we have a much better chance of persisting the history.

Upon first visit, your IAM solution will create a user with a random UID (user identifier), temporarily with the fingerprint as a username. This user cannot do much, but when they ‘convert’ they become fully entitled accounts. The downside is that we need to persist the preferences and basket server side, but so what, storage is not that expensive anymore!

SSO Cookie Hardening

I wrote about hardening SSO cookies here, so not going to spend too much time on this. I will give you a short version. If the cookies are secure (encrypted or signed) then we can embed the device fingerprint inside them. When the resource is requested (requires continuous authentication), the SSO cookie is honoured, but fingerprint is re-checked. If the cookie finds its way to another browser – the fingerprint will be mismatched and the IAM system will deny access and require re-authentication.

Normal Behaviour of a Fraudster

Many modern fraud prevention systems focus on the abnormal behaviours of the users. We use AI/ML to analyse user’s interactions through behavioural analytics (UEBA). It means (just as an  example) that if I normally login to work from my Macbook Mon-Fri between 8:50 and 9:20 am, a login on Saturday at midnight will be marked as suspicious.

But instead of just looking for anomalies, we can focus on known behaviours of the bad guys. If you are a retailer and offer 10% introductory discount, you probably don’t want to give it out every time the same person makes a purchase. It’s an introductory offer after all. Tracking IP addresses to prevent this kind of fraud is not enough. You may be using a public hotspot or an office network, where everyone’s request is overloaded into a single IP (it’s a networking term, meaning translating or hiding the source IP address behind the Internet gateway’s address). While we cannot eliminate fraud completely, we can stop it early enough to accept the remaining cost of it. By adding device fingerprint to what I call ‘action counters’ we lower the detection threshold and quite significantly. The fraudsters are likely to open or access many accounts from one ‘device’ (and statistically it’s mostly a mobile device). They are also utilising stolen databases (remember fraud and credential leaks are commercialised these days) to use variety of payment cards. They may even be successful in the majority of attempts, but even 10 logins or payments from the same device using different accounts can be considered fraudulent and raise suspicions if you can track them down to the same browser.

Summary

There is a multitude of ways device fingerprinting can enrich identity driven flows. Above are just few examples. If you have a good use case – let me know and if it’s unique, I may add it here!