The role of browser fingerprinting in two factor2

•

1 like•308 views

This document discusses how browser fingerprinting can be used as a factor in multi-factor authentication. It explains that authentication is based on probability, not a binary yes/no. Using multiple authentication factors like something you know (password), something you have (browser), and something you are (biometrics) multiplies the probabilities of each being incorrect, making the overall authentication more secure. The document proposes that a user's unique browser configuration determined via fingerprinting could serve as an additional authentication factor, improving security without additional hardware costs. Objections about fingerprint or browser changes are addressed.

Technology

The role of Browser Fingerprinting in
Two Factor Authentication
Bart Decuypere
(decuypeb_at_gmail.com)

Authentication: a binary fact?
•
•
•
•

Password correct -> Yes/No
OTP correct -> Yes/No
Certificate Valid -> Yes/No
But: Authentication methods are not infallible
– Password hacked
– Digipass/SmartCard stolen

• Authentication is only for a certain % correct
– (viz. If the method is not corrupted)

• Authentication is a probability!

How can this be improved?
• Multi-Factor authentication!
– Knows
– Has
– Is

• What happens theoretically?
– We multiply the P(is_not(X))
– P(password_is_corrupt)*P(smart_card_is_stolen)
– (fiction) 0,01 * 0,001 = 0,00001 (very small probability
that someone is not who he claims to be)

What is browser fingerprinting?
• Collect characteristics of browser
• Calculate entropy to see whether this
configuration is unique (enough)... -> this is a
probability P(unique)
• If config is unique, we can track the user...
• We can use the browser config as a factor in
multifactor authentication!
– Something the user has!

New use cases
• As a browser is an extra factor:
– Splitting a transaction over two browsers is more
secure than only using one browser
– Password and browser are two factors
– Each device with a browser can be a 2nd factor
• Smart phone, tablet, other pc...

– 2nd factor devices come at no additional cost

General rule: it’s only multiplying
probabilities
• Determine beforehand your level of certainty
• Use as many factors as you need to obtain
that certainty
– Password
– Browser fingerprint
– Device fingerprint
– Smartcard

• Authentication is not binary! It’s a probability!

Similar to The role of browser fingerprinting in two factor2

These slides use concepts from my (Jeff Funk) course entitled analyzing hi-tech opportunities to show how the cost and performance of biometrics are improving rapidly, making many new applications possible, particularly for fingerprinting in phones. Improvements in cameras and other electronics are making optical, capacitive, and ultrasound sensors better. Improvements in microprocessors are making the matching algorithms operate faster and with higher accuracy. We expect biometrics to become widely used in the next few years beginning with smart phones and followed by automobiles, homes, and offices. Better biometrics in smart phones will promote security and mobile commerce.

Biometrics/fingerprint sensors

Jeffrey Funk

Access Control Presentation

Wajahat Rajab

Password Problem - Solved!

Cyber Security Summit

Two factor authentication.pptx

ArpithaShoby

Electronic identification

Bozhidar Bozhanov

120 i143

Hai Nguyen

Eds user authenticationuser authentication methods

lapao2014

Circle City Con 5.0 Phishing Forensics - Is it just suspicious or is it malicious? -Matt Scheurer Abstract: What thoughts currently make tech defenders uneasy as they go to bed at night? Despite implementing and properly configuring the latest technological controls and security solutions into our environments, end users typically remain the most vulnerable point of entry into nearly any network. Unfortunately, only one misstep by a single user provides attackers with the foothold they need to begin compromising an entire enterprise network environment. The safety of our inboxes is a key initiative on the battlefront of protecting staff from the scourge of phishing and spear phishing attacks. We will perform a deep-dive look at the latest techniques used by criminals to bypass security products and traditional defense-in-depth strategies. We then focus heavily on conducting a digital forensic investigation on a sample phishing email message. Topics covered include technical analysis of message headers, message source code, message attachments, and malicious landing web pages even when a dedicated sandbox environment is unavailable.

Circle City Con: Phishing Forensics - Is it just suspicious or is it malicious?

ThreatReel Podcast

Attacks on organizations are in the news every day. How can your organization keep from becoming tomorrow’s headline? Join SecureAuth as we take a deeper look at how adaptive authentication techniques can enable your organization to stop attackers in their tracks. With live intelligence data as a part of your authentication workflows, you can easily identify suspicious actors before they enter your network, not after they violate a policy.

How to Stop Cyber Attacks Using Adaptive Authentication

SecureAuth

Lend me your IR's! -Matt Scheurer BSides Columbus August 21, 2020 Abstract: Have you ever felt compelled to tip your cap to a malicious threat actor? Protecting systems and networks as a tech defender means withstanding a constant barrage of unsophisticated attacks from automated tools, botnets, crawlers, exploit kits, phish kits, and script kiddies; oh my! Once in a while we encounter attacks worthy of style points for creativity or new twists on old attack techniques. This talk features live demo reenactments from some advanced attacks investigated by the presenter. The live demos showcase technical deep dives of the underpinnings from both the attacker and investigator sides of these attacks. Attendee key takeaways are strategies, freely available tools, and techniques helpful during incident response investigations. Bio: Matt Scheurer serves as Chair of the Cincinnati Networking Professionals Association Security Special Interest Group (CiNPA Security SIG), a former Ambassador for Bugcrowd, and works as a Systems Security Engineer in the Financial Services industry. He holds a CompTIA Security+ Certification and possesses multiple Microsoft Certifications including MCP, MCPS, MCTS, MCSA, and MCITP. He has presented on numerous Information Security topics as a featured speaker at many local area technology groups and large Information Security conferences. Matt maintains active memberships in a number of professional organizations including the Association for Computing Machinery (ACM), Cincinnati Networking Professionals Association (CiNPA), Financial Services - Information Sharing and Analysis Center (FS-ISAC), Information Systems Security Association (ISSA), and InfraGard.

BSides Columbus - Lend me your IR's!

ThreatReel Podcast

Authentication without Authentication - AppSec California

Soluto

Sql securitytesting

Thilak Pathirage -Senior IT Gov and Risk Consultant

3dpassword ppt-120815070434-phpapp02

ajaykumar557

Sure, you can spell enterprise security without the letters M-F-A, but the modern digital enterprise isn't as secure without a strong multi-factor authentication (MFA) strategy. Enterprises are under attack, and credentials are a primary target. Many leading enterprises are enhancing their security and control with MFA, allowing them to move away from a high-risk, password-based security approach and to give their employees, partners, and customers a better user experience. View this slide deck for best practices for a MFA strategy.

You Can't Spell Enterprise Security without MFA

Ping Identity

Slide deck from my presentation at the BSides Indy InfoSec Conference on 03/10/2018. Abstract: What thoughts currently make tech defenders uneasy as they go to bed at night? Despite implementing and properly configuring the latest technological controls and security solutions into our environments, end users typically remain the most vulnerable point of entry into nearly any network. Unfortunately, only one misstep by a single user provides attackers with the foothold they need to begin compromising an entire enterprise network environment. The safety of our inboxes is a key initiative on the battlefront of protecting staff from the scourge of phishing and spear phishing attacks. We will perform a deep-dive look at the latest techniques used by criminals to bypass security products and traditional defense-in-depth strategies. We then focus heavily on conducting a digital forensic investigation on a sample phishing email message. Topics covered include technical analysis of message headers, message source code, message attachments, and malicious landing web pages even when a dedicated sandbox environment is unavailable.

BSides Indianapolis: Phishing Forensics - Is it just suspicious or is it mali...

ThreatReel Podcast

Speakers: Shaun Pearce, CTO, Gousto Dan Leitao, Product Consultant, Onfido Moderator: Liam McClary, UK Startups Segment Leader, AWS Focus: Product Innovative companies operate in a loop of experimentation and learning that leads to further data-driven iteration. Whether you're introducing a brand new service, or you’re trying to improve a particular feature, it’s crucial that you’re tracking and measuring user behavior. Come and learn from AWS customers on how they’re leveraging the low cost of experimentation on AWS, best practices for A/B testing, their approach to data collection and analysis, and how they prioritize new features.

Onfido: Data-Driven Product Management at Scale

Amazon Web Services

4.2.1 Network Issues and Communication.pptx

TeenaSharma73

4.2.1 Network Issues and Communication [Autosaved].pptx

TeenaSharma73

More Issues on Digital Identity (24Feb2023)

Hitoshi Kokumai

Slide deck from my presentation at the ISSA's 11th annual Central Ohio InfoSec Summit on 05/14/2018. Abstract: What thoughts currently make tech defenders uneasy as they go to bed at night? Despite implementing and properly configuring the latest technological controls and security solutions into our environments, end users typically remain the most vulnerable point of entry into nearly any network. Unfortunately, only one misstep by a single user provides attackers with the foothold they need to begin compromising an entire enterprise network environment. The safety of our inboxes is a key initiative on the battlefront of protecting staff from the scourge of phishing and spear phishing attacks. We will perform a deep-dive look at the latest techniques used by criminals to bypass security products and traditional defense-in-depth strategies. We then focus heavily on conducting a digital forensic investigation on a sample phishing email message. Topics covered include technical analysis of message headers, message source code, message attachments, and malicious landing web pages even when a dedicated sandbox environment is unavailable.

ISSA COISS: : Phishing Forensics - Is it just suspicious or is it malicious?

ThreatReel Podcast

Similar to The role of browser fingerprinting in two factor2 (20)

Biometrics/fingerprint sensors

Access Control Presentation

Password Problem - Solved!

Two factor authentication.pptx

Electronic identification

120 i143

Eds user authenticationuser authentication methods

Circle City Con: Phishing Forensics - Is it just suspicious or is it malicious?

How to Stop Cyber Attacks Using Adaptive Authentication

BSides Columbus - Lend me your IR's!

Authentication without Authentication - AppSec California

Sql securitytesting

3dpassword ppt-120815070434-phpapp02

You Can't Spell Enterprise Security without MFA

BSides Indianapolis: Phishing Forensics - Is it just suspicious or is it mali...

Onfido: Data-Driven Product Management at Scale

4.2.1 Network Issues and Communication.pptx

4.2.1 Network Issues and Communication [Autosaved].pptx

More Issues on Digital Identity (24Feb2023)

ISSA COISS: : Phishing Forensics - Is it just suspicious or is it malicious?

Recently uploaded

Axa Assurance Maroc - Insurer Innovation Award 2024

The Digital Insurer

What is a good lead in your organisation? Which leads are priority? What happens to leads? When sales and marketing give different answers to these questions, or perhaps aren't sure of the answers at all, frustrations build and opportunities are left on the table. Join us for an illuminating session with Cian McLoughlin, HubSpot Principal Customer Success Manager, as we look at that crucial piece of the customer journey in which leads are transferred from marketing to sales.

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx

HampshireHUG

How to Troubleshoot Apps for the Modern Connected Worker

ThousandEyes

Discord is a free app offering voice, video, and text chat functionalities, primarily catering to the gaming community. It serves as a hub for users to create and join servers tailored to their interests. Discord’s ecosystem comprises servers, each functioning as a distinct online community with its own channels dedicated to specific topics or activities. Users can engage in text-based discussions, voice calls, or video chats within these channels. Understanding Discord Servers Discord servers are virtual spaces where users congregate to interact, share content, and build communities. Servers may revolve around gaming, hobbies, interests, or fandoms, providing a platform for like-minded individuals to connect. Communication Features Discord offers a range of communication tools, including text channels for messaging, voice channels for real-time audio conversations, and video channels for face-to-face interactions. These features facilitate seamless communication and collaboration. What Does NSFW Mean? The acronym NSFW stands for “Not Safe For Work,” indicating content that may be inappropriate for professional or public settings. NSFW Content NSFW content encompasses material that is sexually explicit, violent, or otherwise graphic in nature. It often includes nudity, profanity, or depictions of sensitive topics.

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf

UK Journal

The presentation explores the development and application of artificial intelligence (AI) from its inception to its current status in the modern world. The term "artificial intelligence" was first coined by John McCarthy in 1956 to describe efforts to develop computer programs capable of performing tasks that typically require human intelligence. This concept was first introduced at a conference held at Dartmouth College, where programs demonstrated capabilities such as playing chess, proving theorems, and interpreting texts. In the early stages, Alan Turing contributed to the field by defining intelligence as the ability of a being to respond to certain questions intelligently, proposing what is now known as the Turing Test to evaluate the presence of intelligent behavior in machines. As the decades progressed, AI evolved significantly. The 1980s focused on machine learning, teaching computers to learn from data, leading to the development of models that could improve their performance based on their experiences. The 1990s and 2000s saw further advances in algorithms and computational power, which allowed for more sophisticated data analysis techniques, including data mining. By the 2010s, the proliferation of big data and the refinement of deep learning techniques enabled AI to become mainstream. Notable milestones included the success of Google's AlphaGo and advancements in autonomous vehicles by companies like Tesla and Waymo. A major theme of the presentation is the application of generative AI, which has been used for tasks such as natural language text generation, translation, and question answering. Generative AI uses large datasets to train models that can then produce new, coherent pieces of text or other media. The presentation also discusses the ethical implications and the need for regulation in AI, highlighting issues such as privacy, bias, and the potential for misuse. These concerns have prompted calls for comprehensive regulations to ensure the safe and equitable use of AI technologies. Artificial intelligence has also played a significant role in healthcare, particularly highlighted during the COVID-19 pandemic, where it was used in drug discovery, vaccine development, and analyzing the spread of the virus. The capabilities of AI in healthcare are vast, ranging from medical diagnostics to personalized medicine, demonstrating the technology's potential to revolutionize fields beyond just technical or consumer applications. In conclusion, AI continues to be a rapidly evolving field with significant implications for various aspects of society. The development from theoretical concepts to real-world applications illustrates both the potential benefits and the challenges that come with integrating advanced technologies into everyday life. The ongoing discussion about AI ethics and regulation underscores the importance of managing these technologies responsibly to maximize their their benefits while minimizing potential harms.

Artificial Intelligence: Facts and Myths

Joaquim Jorge

BooK Now Call us at +918448380779 to hire a gorgeous and seductive call girl for sex. Take a Delhi Escort Service. The help of our escort agency is mostly meant for men who want sexual Indian Escorts In Delhi NCR. It should be noted that any impersonator will get 100 attention from our Young Girls Escorts in Delhi. They will assume the position of reliable allies. VIP Call Girl With Original Photos Book Tonight +918448380779 Our Cheap Price 1 Hour not available 2 Hours 5000 Full Night 8000 TAG: Call Girls in Delhi, Noida, Gurgaon, Ghaziabad, Connaught Place, Greater Kailash Delhi, Lajpat Nagar Delhi, Mayur Vihar Delhi, Chanakyapuri Delhi, New Friends Colony Delhi, Majnu Ka Tilla, Karol Bagh, Malviya Nagar, Saket, Khan Market, Noida Sector 18, Noida Sector 76, Noida Sector 51, Gurgaon Mg Road, Iffco Chowk Gurgaon, Rajiv Chowk Gurgaon All Delhi Ncr Free Home Deliver

08448380779 Call Girls In Greater Kailash - I Women Seeking Men

Delhi Call girls

MySQL Webinar, presented on the 25th of April, 2024. Summary: MySQL solutions enable the deployment of diverse Database Architectures tailored to specific needs, including High Availability, Disaster Recovery, and Read Scale-Out. With MySQL Shell's AdminAPI, administrators can seamlessly set up, manage, and monitor these solutions, ensuring efficiency and ease of use in their administration. MySQL Router, on the other hand, provides transparent routing from the application traffic to the backend servers in the architectures, requiring minimal configuration. Completely built in-house and supported by Oracle, these solutions have been adopted by enterprises of all sizes for their business-critical applications. In this presentation, we'll delve into various database architecture solutions to help you choose the right one based on your business requirements. Focusing on technical details and the latest features to maximize the potential of these solutions.

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

Miguel Araújo

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

The Digital Insurer

Partners Life - Insurer Innovation Award 2024

The Digital Insurer

Heather Hedden, Senior Consultant at Enterprise Knowledge, presented “The Role of Taxonomy and Ontology in Semantic Layers” at a webinar hosted by Progress Semaphore on April 16, 2024. Taxonomies at their core enable effective tagging and retrieval of content, and combined with ontologies they extend to the management and understanding of related data. There are even greater benefits of taxonomies and ontologies to enhance your enterprise information architecture when applying them to a semantic layer. A survey by DBP-Institute found that enterprises using a semantic layer see their business outcomes improve by four times, while reducing their data and analytics costs. Extending taxonomies to a semantic layer can be a game-changing solution, allowing you to connect information silos, alleviate knowledge gaps, and derive new insights. Hedden, who specializes in taxonomy design and implementation, presented how the value of taxonomies shouldn’t reside in silos but be integrated with ontologies into a semantic layer. Learn about: - The essence and purpose of taxonomies and ontologies in information and knowledge management; - Advantages of semantic layers leveraging organizational taxonomies; and - Components and approaches to creating a semantic layer, including the integration of taxonomies and ontologies

The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf

Enterprise Knowledge

Building Digital Trust in a Digital Economy Veronica Tan, Director - Cyber Security Agency of Singapore Apidays Singapore 2024: Connecting Customers, Business and Technology (April 17 & 18, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...

apidays

The 7 Things I Know About Cyber Security After 25 Years | April 2024

Rafal Los

Histor y of HAM Radio presentation slide

vu2urc

Finology Group – Insurtech Innovation Award 2024

The Digital Insurer

08448380779 Call Girls In Civil Lines Women Seeking Men

Delhi Call girls

Boost Fertility New Invention Ups Success Rates.pdf

sudhanshuwaghmare1

Presentation on how to chat with PDF using ChatGPT code interpreter

naman860154

Abhishek Deb(1), Mr Abdul Kalam(2) M. Des (UX) , School of Design, DIT University , Dehradun. This paper explores the future potential of AI-enabled smartphone processors, aiming to investigate the advancements, capabilities, and implications of integrating artificial intelligence (AI) into smartphone technology. The research study goals consist of evaluating the development of AI in mobile phone processors, analyzing the existing state as well as abilities of AI-enabled cpus determining future patterns as well as chances together with reviewing obstacles as well as factors to consider for more growth.

Exploring the Future Potential of AI-Enabled Smartphone Processors

debabhi2

Sara Mae O’Brien Scott and Tatiana Baquero Cakici, Senior Consultants at Enterprise Knowledge (EK), presented “AI Fast Track to Search-Focused AI Solutions” at the Information Architecture Conference (IAC24) that took place on April 11, 2024 in Seattle, WA. In their presentation, O’Brien-Scott and Cakici focused on what Enterprise AI is, why it is important, and what it takes to empower organizations to get started on a search-based AI journey and stay on track. The presentation explored the complexities of enterprise search challenges and how IA principles can be leveraged to provide AI solutions through the use of a semantic layer. O’Brien-Scott and Cakici showcased a case study where a taxonomy, an ontology, and a knowledge graph were used to structure content at a healthcare workforce solutions organization, providing personalized content recommendations and increasing content findability. In this session, participants gained insights about the following: Most common types of AI categories and use cases; Recommended steps to design and implement taxonomies and ontologies, ensuring they evolve effectively and support the organization’s search objectives; Taxonomy and ontology design considerations and best practices; Real-world AI applications that illustrated the value of taxonomies, ontologies, and knowledge graphs; and Tools, roles, and skills to design and implement AI-powered search solutions.

IAC 2024 - IA Fast Track to Search Focused AI Solutions

Enterprise Knowledge

What are drone anti-jamming systems? The drone anti-jamming systems and anti-spoof technology protect against interference, jamming, and spoofing of the UAVs. To protect their security, countries are beginning to research drone anti-jamming systems, also known as drone strike weapons. The anti-jam and anti-spoof technology protects against interference, jamming and spoofing. A drone strike weapon is a drone attack weapon that can attack and destroy enemy drones. So what is so unique about this amazing system?

What Are The Drone Anti-jamming Systems Technology?

Antenna Manufacturer Coco

Recently uploaded (20)

Axa Assurance Maroc - Insurer Innovation Award 2024

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx

How to Troubleshoot Apps for the Modern Connected Worker

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf

Artificial Intelligence: Facts and Myths

08448380779 Call Girls In Greater Kailash - I Women Seeking Men

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

Partners Life - Insurer Innovation Award 2024

The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...

The 7 Things I Know About Cyber Security After 25 Years | April 2024

Histor y of HAM Radio presentation slide

Finology Group – Insurtech Innovation Award 2024

08448380779 Call Girls In Civil Lines Women Seeking Men

Boost Fertility New Invention Ups Success Rates.pdf

Presentation on how to chat with PDF using ChatGPT code interpreter

Exploring the Future Potential of AI-Enabled Smartphone Processors

IAC 2024 - IA Fast Track to Search Focused AI Solutions

What Are The Drone Anti-jamming Systems Technology?

The role of browser fingerprinting in two factor2

1. The role of Browser Fingerprinting in Two Factor Authentication Bart Decuypere (decuypeb_at_gmail.com)

2. Authentication: a binary fact? • • • • Password correct -> Yes/No OTP correct -> Yes/No Certificate Valid -> Yes/No But: Authentication methods are not infallible – Password hacked – Digipass/SmartCard stolen • Authentication is only for a certain % correct – (viz. If the method is not corrupted) • Authentication is a probability!

3. How can this be improved? • Multi-Factor authentication! – Knows – Has – Is • What happens theoretically? – We multiply the P(is_not(X)) – P(password_is_corrupt)*P(smart_card_is_stolen) – (fiction) 0,01 * 0,001 = 0,00001 (very small probability that someone is not who he claims to be)

4. What is browser fingerprinting? • Collect characteristics of browser • Calculate entropy to see whether this configuration is unique (enough)... -> this is a probability P(unique) • If config is unique, we can track the user... • We can use the browser config as a factor in multifactor authentication! – Something the user has!

5. Objections (What if...?) • ... the profile is not unique enough – Add a factor (e.g. password) – Forward transaction to another device/browser • ... the browser is taken over by a hacker (MITM) – Maybe we can see it in the profile? – Browser is only one factor, there are other factors. – You can add factors (dynamically until you are certain enough) • ... the browser fingerprint changes (due to upgrade, plugins, ...) – Use algorithms to map before and after... (this is also probability, and might cause an extra factor to be used)

6. New use cases • As a browser is an extra factor: – Splitting a transaction over two browsers is more secure than only using one browser – Password and browser are two factors – Each device with a browser can be a 2nd factor • Smart phone, tablet, other pc... – 2nd factor devices come at no additional cost

7. General rule: it’s only multiplying probabilities • Determine beforehand your level of certainty • Use as many factors as you need to obtain that certainty – Password – Browser fingerprint – Device fingerprint – Smartcard • Authentication is not binary! It’s a probability!

The role of browser fingerprinting in two factor2

Recommended

Recommended

More Related Content

Similar to The role of browser fingerprinting in two factor2

Similar to The role of browser fingerprinting in two factor2 (20)

Recently uploaded

Recently uploaded (20)

The role of browser fingerprinting in two factor2