Friday 28 August 2015

Smarter Security with Device Fingerprints

Smarter security also means user friendly security, moving security beyond compromising convenience.

Multi-factor authentication has many benefits. Going through multiple factors multiple times in a same day from the same device, makes users grumble, esp. when working at the office all day. Security can be smarter than that.

It happens to be that web browsers in the hand of an individual user develop an increasing level of uniqueness based on the combination of parameters such as browser type, installed fonts and plugins, resolution and colour depth, timezone, preferred language, timezone or even geolocation.  
All these elements (and potentially others) combined represent the browser fingerprint.

So the user who has already authenticated in the morning using username and password and SMS passcode as a 2nd factor comes back from lunch. A more convenient single factor authentication (username and password) can often be suitable if the user is using from the same device. In reality users authenticate more often than that against the same system the same day.

The National Institute of Standards and Technology (NIST) researched the friction and disruption created by authentication. It concludes that any authentication task that requires time and effort on the part of the user creates a “wall of disruption” that impedes the performance of primary tasks, even when there are no problems [1].

Besides implementing SSO, device fingerprints are a compelling asset to lower the "wall of disruption". ForgeRock's identity platform provides this functionality out-of-the-box (since OpenAM 12). On top, browser fingerprint collection, matching and storing can be customised and extended. The functionality is part of the commercial and open source, as smart security software should be.

As privacy is built in ForgeRock's DNA and products, device fingerprints are stored with user consent and the user can view and delete them anytime.

Device Fingerprint in the Authentication Process


OpenAM provides two authentication modules to support device or browser fingerprint. First the "Device ID (Match)"  module which invokes the collection of the fingerprint via JavaScript (executed in the user's web browser), compares the collected fingerprint with stored fingerprints and determines if the device can be considered as known. And second the  "Device ID (Save)" module which stores, if appropriate, the newly collected fingerprint in the data store.
Device fingerprint authentication is used in combination with other authentication modules with the goal to spare users multiple factors of authentication. Typically users are challenged with a first factor like username password. Only if this succeeds, the fingerprint will be collected and compared with stored fingerprints. If the device is not "known" the user will face a 2nd factor of authentication like one-time-password via SMS. Only after the 2nd factor succeeded, and upon user consent, the fingerprint will be stored. If however the device is "known", no further processing is necessary and user authentication succeeded.

The OpenAM Admin Guide has a bunch of further hints on how to chain the device ID modules with other modules [2].

Privacy and Consent

Before storing a device fingerprint, the user is asked for consent. If a user does not decide to store browser fingerprints, then the device fingerprint modules have no effect and the authentication continues as defined in the authentication chain.

Stored browser fingerprints can be managed as "Trusted Devices" by the end user through the end user dashboard. By default, device fingerprints have a lifetime of 30 days.

Inside the Device Fingerprint Module

The "DeviceID (Match)" module stores the collected fingerprint in the shared state memory element of the authentication modules (key is devicePrintProfile). This value is picked up by the "DeviceID (Save)" module (if the process gets that far)  from the shared state and then stored in the data store.

Browser fingerprints are stored in the user datastore. For instance with the embedded store (by default) in the multi-valued attribute devicePrintProfiles in the following form ("pretty printed"):
{
 "lastSelectedDate": 1437623008779,
 "devicePrint": {
   "screen": {
     "screenWidth": 1440,
     "screenHeight": 900,
     "screenColourDepth": 24
   },
   "timezone": {
     "timezone": -120
   },
   "plugins": {
     "installedPlugins": "widevinecdmadapter.plugin;mhjfbmdgcfjbbpaeojofohoefgiehjai;PepperFlashPlayer.plugin;internal-remoting-viewer;internal-nacl-plugin;internal-pdf-viewer;"
   },
   "fonts": {
     "installedFonts": "cursive;monospace;serif;sans-serif;fantasy;default;Arial;Arial Black;Arial Narrow;Arial Rounded MT Bold;Comic Sans MS;Courier;Courier New;Georgia;Impact;Papyrus;Tahoma;Times;Times New Roman;Trebuchet MS;Verdana;"
   },
   "userAgent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/44.0.2403.130 Safari\/537.36",
   "appName": "Netscape",
   "appCodeName": "Mozilla",
   "appVersion": "5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/44.0.2403.130 Safari\/537.36",
   "platform": "MacIntel",
   "product": "Gecko",
   "productSub": "20030107",
   "vendor": "Google Inc.",
   "language": "en-US",
   "geolocation": {
     
   }
 },
 "name": "MacBookChrome",
 "selectionCounter": 1,
 "uuid": "a85e66e4-5de3-4795-be43-7159e9590cbb"
}

As mentioned before, the collection and matching can be extended and customised.

Further Reading

The Electronic Frontier Foundation published an interesting article "How Unique Is Your Web  Browser?"  in which, amongst others, research on diversity and stability of browser fingerprints is exposed. It concludes :

"Browser fingerprinting is a powerful technique, and fingerprints must be con-
sidered alongside cookies, IP addresses and supercookies when we discuss web
privacy and user trackability. Although fingerprints turn out not to be particu-
larly stable, browsers reveal so much version and configuration information that
they remain overwhelmingly trackable. There are implications both for privacy
policy and technical design.
Policymakers should start treating fingerprintable records as potentially per-
sonally identifiable, and set limits on the durations for which they can be associated with identities and sensitive logs like clickstreams and search terms." [3]

Note that the default device fingerprint authentication modules support expiration of fingerprints.

Further research on the topic of browser fingerprinting shows alternative ways to compute a fingerprint. For instance using HTML5 <canvas> elements [4] - and ways for users to circumvent fingerprinting if they desire. The ForgeRock identity platform can cater for both as it is open and extensible and honours privacy.

References

[1] Steves, M; Chisnell, D; Sasse, A; Krol, K; Theofanos, M; Wald, H; (2014) Report: Authentication Diary Study. (NIST Interagency or Internal Reports (NISTIR) NIST IR 7983 ). <http://dx.doi.org/10.6028/NIST.IR.7983>
[2] Goldsmith, David; Hirayama, Gene: Lee, Chris, et al. OpenAM Administration Guide, Version 12.0.0. ForgeRock, AS., December 17, 2014. August 28, 2015. <http://docs.forgerock.org/en/openam/12.0.0/admin-guide/index/chap-auth-services.html#device-id-match-hints>
[3] Eckersley, Peter; How Unique Is Your Web Browser? Electronic Frontier Foundation, 2010 <https://panopticlick.eff.org/browser-uniqueness.pdf>
[4] Mowery, Keaton and Shacham Hovav. Pixel Perfect: Fingerprinting Canvas in HTML5.  <http://w2spconf.com/2012/papers/w2sp12-final4.pdf>
[5] Wikipedia contributors. Device fingerprint. Wikipedia, The Free Encyclopedia. Wikipedia, The Free Encyclopedia, 27 Jul. 2015. Web. 28 Aug. 2015.