Abstract
Modern browsers give access to several attributes that can be collected to form a browser fingerprint. Although browser fingerprints have primarily been studied as a web tracking tool, they can contribute to improve the current state of web security by augmenting web authentication mechanisms. In this article, we investigate the adequacy of browser fingerprints for web authentication. We make the link between the digital fingerprints that distinguish browsers, and the biological fingerprints that distinguish Humans, to evaluate browser fingerprints according to properties inspired by biometric authentication factors. These properties include their distinctiveness, their stability through time, their collection time, their size, and the accuracy of a simple verification mechanism. We assess these properties on a large-scale dataset of 4,145,408 fingerprints composed of 216 attributes and collected from 1,989,365 browsers. We show that, by time-partitioning our dataset, more than 81.3% of our fingerprints are shared by a single browser. Although browser fingerprints are known to evolve, an average of 91% of the attributes of our fingerprints stay identical between two observations, even when separated by nearly six months. About their performance, we show that our fingerprints weigh a dozen of kilobytes and take a few seconds to collect. Finally, by processing a simple verification mechanism, we show that it achieves an equal error rate of 0.61%. We enrich our results with the analysis of the correlation between the attributes and their contribution to the evaluated properties. We conclude that our browser fingerprints carry the promise to strengthen web authentication mechanisms.
- 2002. Consolidated text: Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications). Retrieved from https://data.europa.eu/eli/dir/2002/58/2009-12-19.Google Scholar
- 2009. Consolidated text: Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws (Text with EEA relevance). Retrieved from https://data.europa.eu/eli/dir/2009/136/2009-12-19.Google Scholar
- 2017. Browser Market Share France | StatCounter Global Stats. Retrieved from https://gs.statcounter.com/browser-market-share/all/france/2017.Google Scholar
- 2017. Operating System Market Share France | StatCounter Global Stats. Retrieved from https://gs.statcounter.com/os-market-share/all/france/2017.Google Scholar
- 2021. “createDataChannel” | Can I use... Support tables for HTML5, CSS3, etc. Retrieved from https://caniuse.com/?search=createDataChannel.Google Scholar
- 2021. “SpeechSynthesis” | Can I use... Support tables for HTML5, CSS3, etc. Retrieved from https://caniuse.com/?search=SpeechSynthesis.Google Scholar
- 2021. “Web Audio API” | Can I use... Support tables for HTML5, CSS3, etc. Retrieved from https://caniuse.com/?search=Web Audio API.Google Scholar
- 2021. WebGL. Retrieved from https://get.webgl.org.Google Scholar
- Gunes Acar, Christian Eubank, Steven Englehardt, Marc Juarez, Arvind Narayanan, and Claudia Diaz. 2014. The web never forgets: Persistent tracking mechanisms in the wild. In ACM SIGSAC Conference on Computer and Communications Security (CCS). 674–689. DOI:https://doi.org/10.1145/2660267.2660347 Google Scholar
Digital Library
- Nasser Mohammed Al-Fannah and Wanpeng Li. 2017. Not all browsers are created equal: Comparing web browser fingerprintability. In International Workshop on Security (IWSEC), Satoshi Obana and Koji Chida (Eds.). Springer, 105–120. DOI:https://doi.org/10.1007/978-3-319-64200-0_7Google Scholar
Cross Ref
- Nasser Mohammed Al-Fannah, Wanpeng Li, and Chris J. Mitchell. 2018. Beyond cookie monster amnesia: Real world persistent online tracking. In Information Security, Liqun Chen, Mark Manulis, and Steve Schneider (Eds.). 481–501. DOI:https://doi.org/10.1007/978-3-319-99136-8_26Google Scholar
- Nasser Mohammed Al-Fannah and Chris Mitchell. 2020. Too little too late: Can we control browser fingerprinting?Journal of Intellectual Capital 21, 2 (2020), 165–180. DOI:https://doi.org/10.1108/JIC-04-2019-0067Google Scholar
- Furkan Alaca and P. C. van Oorschot. 2016. Device fingerprinting for augmenting web authentication: Classification and analysis of methods. In Annual Conference on Computer Security Applications (ACSAC). 289–301. DOI:https://doi.org/10.1145/2991079.2991091 Google Scholar
Digital Library
- Alexa Internet. 2021. Top Sites in France - Alexa. Retrieved from https://www.alexa.com/topsites/countries/FR.Google Scholar
- Nampoina Andriamilanto, Tristan Allard, and Gaëtan Le Guelvouit. 2020. FPSelect: Low-cost browser fingerprints for mitigating dictionary attacks against web authentication mechanisms. In Annual Computer Security Applications Conference (ACSAC). DOI:https://doi.org/10.1145/3427228.3427297 Google Scholar
Digital Library
- Nampoina Andriamilanto, Tristan Allard, and Gaëtan Le Guelvouit. 2021. “Guess who?” Large-scale data-centric study of the adequacy of browser fingerprints for web authentication. In International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing (IMIS), Leonard Barolli, Aneta Poniszewska-Maranda, and Hyunhee Park (Eds.). 161–172. DOI:https://doi.org/10.1007/978-3-030-50399-4_16Google Scholar
Cross Ref
- Tompoariniaina Nampoina Andriamilanto. 2020. Leveraging Browser Fingerprinting for Web Authentication. Retrieved from https://tel.archives-ouvertes.fr/tel-03150590.Google Scholar
- Antidetect. 2021. Antidetect. Retrieved from https://antidetect.org.Google Scholar
- The HTTP Archive. 2020. Median Loading Time of Web Pages. Retrieved from https://httparchive.org/reports/loading-speed#ol.Google Scholar
- Mohammadreza Ashouri. 2019. A large-scale analysis of browser fingerprinting via chrome instrumentation. 25–36. Retrieved from https://www.thinkmind.org/index.php?view=article&articleid=icimp_2019_2_20_30045.Google Scholar
- Gildas Avoine, Muhammed Ali Bingöl, Ioana Boureanu, Srdjan Čapkun, Gerhard Hancke, Süleyman Kardaş, Chong Hee Kim, Cédric Lauradoux, Benjamin Martin, Jorge Munilla, Alberto Peinado, Kasper B. Rasmussen, Dave Singelée, Aslan Tchamkerten, Rolando Trujillo-Rasua, and Serge Vaudenay. 2019. Security of distance-bounding: a survey. 51, 5 (2019), 1–33. DOI:https://doi.org/10.1145/3264628 Google Scholar
Digital Library
- Peter Baumann, Stefan Katzenbeisser, Martin Stopczynski, and Erik Tews. 2016. Disguised chromium browser: Robust browser, flash and canvas fingerprinting protection. In ACM Workshop on Privacy in the Electronic Society (WPES). 37–46. DOI:https://doi.org/10.1145/2994620.2994621 Google Scholar
Digital Library
- Sarah Bird, Vikas Mishra, Steven Englehardt, Rob Willoughby, David Zeber, Walter Rudametkin, and Martin Lopatka. 2020. Actions speak louder than words: Semi-supervised learning for browser fingerprinting detection. Retrieved from https://arxiv.org/abs/2003.04463.Google Scholar
- C. Blakemore, J. Redol, and M. Correia. 2016. Fingerprinting for web applications: From devices to related groups. In IEEE Trustcom/BigDataSE/ISPA. 144–151. DOI:https://doi.org/10.1109/TrustCom.2016.0057Google Scholar
- Joseph Bonneau. 2012. The science of guessing: Analyzing an anonymized corpus of 70 million passwords. In IEEE Symposium on Security and Privacy (S&P). 538–552. DOI:https://doi.org/10.1109/SP.2012.49 Google Scholar
Digital Library
- Joseph Bonneau, Cormac Herley, Paul C. van Oorschot, and Frank Stajano. 2015. Passwords and the evolution of imperfect authentication. Communications of the ACM 58, 7 (2015), 78–87. DOI:https://doi.org/10.1145/2699390 Google Scholar
Digital Library
- Ralph Broenink. 2012. Using browser properties for fingerprinting purposes. In Twente Student Conference on IT.Google Scholar
- Elie Bursztein, Artem Malyshev, Tadek Pietraszek, and Kurt Thomas. 2016. Picasso: Lightweight device class fingerprinting for web clients. In Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM). 93–102. DOI:https://doi.org/10.1145/2994459.2994467 Google Scholar
Digital Library
- Yinzhi Cao, Song Li, and Erik Wijmans. 2017. (Cross-)browser fingerprinting via OS and hardware level features. In Network and Distributed System Security Symposium (NDSS). DOI:https://doi.org/10.14722/ndss.2017.23152Google Scholar
Cross Ref
- Anupam Das, Gunes Acar, Nikita Borisov, and Amogh Pradeep. 2018. The web’s sixth sense: A study of scripts accessing smartphone sensors. In ACM SIGSAC Conference on Computer and Communications Security (CCS). 1515–1532. DOI:https://doi.org/10.1145/3243734.3243860 Google Scholar
Digital Library
- Anupam Das, Joseph Bonneau, Matthew Caesar, Nikita Borisov, and Xiaofeng Wang. 2014. The tangled web of password reuse. In Network and Distributed System Security Symposium (NDSS). 23–26. DOI:https://doi.org/10.14722/ndss.2014.23357Google Scholar
Cross Ref
- Data Is Beautiful. 2019. Usage Share of Internet Browsers 1996–2019. Retrieved from https://www.youtube.com/watch?v=es9DNe0l0Qo.Google Scholar
- Peter Eckersley. 2010. How unique is your web browser? In International Conference on Privacy Enhancing Technologies (PETS). 1–18. DOI:https://doi.org/10.1007/978-3-642-14527-8_1 Google Scholar
Digital Library
- Steven Englehardt and Arvind Narayanan. 2016. Online tracking: A 1-million-site measurement and analysis. In ACM SIGSAC Conference on Computer and Communications Security (CCS). 1388–1401. DOI:https://doi.org/10.1145/2976749.2978313 Google Scholar
Digital Library
- David Fifield and Serge Egelman. 2015. Fingerprinting web users through font metrics. In Financial Cryptography and Data Security (FC), Rainer Böhme and Tatsuaki Okamoto (Eds.). 107–124. DOI:https://doi.org/10.1007/978-3-662-47854-7_7Google Scholar
- fingerprintjs. 2021. fingerprintjs/fingerprintjs: Browser fingerprinting library with the highest accuracy and stability. Retrieved from https://github.com/fingerprintjs/fingerprintjs.Google Scholar
- Micro Focus. 2019. Device Fingerprinting for Low Friction Authentication. Retrieved from https://www.microfocus.com/media/white-paper/device-fingerprinting-for-low-friction-authentication-wp.pdf.Google Scholar
- Aurélien Francillon, Boris Danev, and Srdjan Capkun. 2011. Relay attacks on passive keyless entry and start systems in modern cars. In Network and Distributed System Security Symposium (NDSS). Retrieved from https://www.ndss-symposium.org/wp-content/uploads/2017/09/franc.pdf.Google Scholar
- Marco Gamassi, Massimo Lazzaroni, Mauro Misino, Vincenzo Piuri, Daniele Sana, and Fabio Scotti. 2005. Quality assessment of biometric systems: A comprehensive perspective based on accuracy and performance measurement. IEEE Trans. Instrum. Meas. 54, 4 (2005), 1489–1496. DOI:https://doi.org/10.1109/TIM.2005.851087Google Scholar
Cross Ref
- Ewa Gasperowicz. 2018. OffscreenCanvas—Speed up Your Canvas Operations with a Web Worker. Retrieved from https://developers.google.com/web/updates/2018/08/offscreen-canvas.Google Scholar
- Tom Goethem, Wout Scheepers, Davy Preuveneers, and Wouter Joosen. 2016. Accelerometer-based device fingerprinting for multi-factor mobile authentication. In International Symposium on Engineering Secure Software and Systems (ESSoS). 106–121. DOI:https://doi.org/10.1007/978-3-319-30806-7_7 Google Scholar
Digital Library
- Maximilian Golla, Theodor Schnitzler, and Markus Dürmuth. 2018. “Will any password do?” Exploring rate-limiting on the web. In USENIX Symposium on Usable Privacy and Security (SOUPS).Google Scholar
- Google. 2017. Background Tabs in Chrome 57 | Web | Google Developers. Retrieved from https://developers.google.com/web/updates/2017/03/background_tabs#background_timer_alignment.Google Scholar
- Alejandro Gómez-Boix, Pierre Laperdrix, and Benoit Baudry. 2018. Hiding in the crowd: An analysis of the effectiveness of browser fingerprinting at large scale. In The Web Conference (TheWebConf). DOI:https://doi.org/10.1145/3178876.3186097 Google Scholar
Digital Library
- Marti A. Hearst, Susan T. Dumais, Edgar Osuna, John Platt, and Bernhard Scholkopf. 1998. Support vector machines. IEEE Intelligent Systems and their Applications 13, 4 (1998), 18–28. DOI:https://doi.org/10.1109/5254.708428 Google Scholar
Digital Library
- Peter Hraška. 2018. Browser Fingerprinting. Retrieved from https://virpo.sk/browser-fingerprinting-hraska-diploma-thesis.pdfGoogle Scholar
- Troy Hunt. 2018. Troy Hunt: 86% of Passwords are Terrible (and Other Statistics). Retrieved from https://www.troyhunt.com/86-of-passwords-are-terrible-and-other-statistics.Google Scholar
- Amnesty International. 2018. When Best Practice Isn’t Good Enough: Large Campaigns of Phishing Attacks in Middle East and North Africa Target Privacy-Conscious Users. Retrieved from https://www.amnesty.org/en/latest/research/2018/12/when-best-practice-is-not-good-enough.Google Scholar
- U. Iqbal, S. Englehardt, and Z. Shafiq. 2021. Fingerprinting the fingerprinters: Learning to detect browser fingerprinting behaviors. In IEEE Symposium on Security and Privacy (S&P). IEEE Computer Society, 283–301. DOI:https://doi.org/10.1109/SP40001.2021.00017Google Scholar
- jonarne. 2008. Useful “X headers” - mobiForge. Retrieved from https://mobiforge.com/design-development/useful-x-headers.Google Scholar
- Daniel Jurafsky and James H. Martin. 2009. Speech and Language Processing (2nd ed.). Pearson. Google Scholar
Digital Library
- Nian-hua Kang, Ming-zhi Chen, Ying-yan Feng, Wei-ning Lin, Chuan-bao Liu, and Guang-yao Li. 2017. Zero-permission mobile device identification based on the similarity of browser fingerprints. In International Conference on Computer Science and Technology (CST). DOI:https://doi.org/10.12783/dtcse/cst2017/12531Google Scholar
- Soroush Karami, Panagiotis Ilia, Konstantinos Solomos, and Jason Polakis. 2020. Carnus: Exploring the privacy threats of browser extension fingerprinting. In Network and Distributed System Security Symposium (NDSS). DOI:https://doi.org/10.14722/ndss.2020.24383Google Scholar
Cross Ref
- Amin Faiz Khademi, Mohammad Zulkernine, and Komminist Weldemariam. 2015. An empirical evaluation of web-based fingerprinting. IEEE Softw. 32, 4 (2015), 46–52. DOI:https://doi.org/10.1109/MS.2015.77Google Scholar
Digital Library
- Andreas Kurtz, Hugo Gascon, Tobias Becker, Konrad Rieck, and Felix Freiling. 2016. Fingerprinting mobile devices using personalized configurations. Proc. Priv. Enhancing Technol. 2016, 1 (2016). DOI:https://doi.org/10.1515/popets-2015-0027Google Scholar
Cross Ref
- Pierre Laperdrix, Gildas Avoine, Benoit Baudry, and Nick Nikiforakis. 2019. Morellian analysis for browsers: Making web authentication stronger with canvas fingerprinting. In Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA). 43–66. DOI:https://doi.org/10.1007/978-3-030-22038-9_3Google Scholar
Cross Ref
- Pierre Laperdrix, Benoit Baudry, and Vikas Mishra. 2017. FPRandom: Randomizing core browser objects to break advanced device fingerprinting techniques. In International Symposium on Engineering Secure Software and Systems (ESSoS), Eric Bodden, Mathias Payer, and Elias Athanasopoulos (Eds.). 97–114. DOI:https://doi.org/10.1007/978-3-319-62105-0_7Google Scholar
Cross Ref
- Pierre Laperdrix, Nataliia Bielova, Benoit Baudry, and Gildas Avoine. 2020. Browser fingerprinting: A survey. ACM Trans. Web 14, 2 (2020), 8:1–8:33. DOI:https://doi.org/10.1145/3386040 Google Scholar
Digital Library
- Pierre Laperdrix, Walter Rudametkin, and Benoit Baudry. 2015. Mitigating browser fingerprint tracking: Multi-level reconfiguration and diversification. In IEEE/ACM International Symposium on Software Engineering for Adaptive and Self-Managing Systems (SEAMS). 98–108. DOI:https://doi.org/10.1109/SEAMS.2015.18Google Scholar
Digital Library
- Pierre Laperdrix, Walter Rudametkin, and Benoit Baudry. 2016. Beauty and the beast: Diverting modern web browsers to build unique browser fingerprints. In IEEE Symposium on Security and Privacy (S&P). 878–894. DOI:https://doi.org/10.1109/SP.2016.57Google Scholar
Cross Ref
- H. Le, F. Fallace, and P. Barlet-Ros. 2017. Towards accurate detection of obfuscated web tracking. In IEEE International Workshop on Measurement and Networking (M&N). 1–6. DOI:https://doi.org/10.1109/IWMN.2017.8078365Google Scholar
- Song Li and Yinzhi Cao. 2020. Who touched my browser fingerprint? A large-scale measurement study and classification of fingerprint dynamics. In ACM Internet Measurement Conference (IMC’20). Association for Computing Machinery, 370–385. DOI:https://doi.org/10.1145/3419394.3423614 Google Scholar
Digital Library
- Multilogin Software Ltd.2021. Multilogin - Replace Multiple Computers with Virtual Browser Profiles - Multilogin. Retrieved from https://multilogin.com.Google Scholar
- PortSwigger Ltd.2021. Burp Suite - Application Security Testing Software - PortSwigger. Retrieved from https://portswigger.net/burp.Google Scholar
- Bo Lu, Xiaokuan Zhang, Ziman Ling, Yinqian Zhang, and Zhiqiang Lin. 2018. A measurement study of authentication rate-limiting mechanisms of modern websites. In Annual Computer Security Applications Conference (ACSAC). 89–100. DOI:https://doi.org/10.1145/3274694.3274714 Google Scholar
Digital Library
- Davide Maltoni, Dario Maio, Anil K. Jain, and Salil Prabhakar. 2009. Handbook of Fingerprint Recognition (2nd ed.). Springer. DOI:https://doi.org/10.1007/978-1-84882-254-2 Google Scholar
Digital Library
- Francesco Marcantoni, Michalis Diamantaris, Sotiris Ioannidis, and Jason Polakis. 2019. A large-scale study on the risks of the HTML5 WebAPI for mobile sensor-based attacks. In the Web Conference. 3063–3071. . DOI:https://doi.org/10.1145/3308558.3313539 Google Scholar
Digital Library
- Philipp Markert, Maximilian Golla, Elizabeth Stobert, and Markus Dürmuth. 2020. Work in progress: A comparative long-term study of fallback authentication. In Network and Distributed System Security Symposium (NDSS). Retrieved from https://www.ndss-symposium.org/ndss-paper/auto-draft-30/.Google Scholar
- Paul Marks. 2020. Dark Web’s Doppelgängers Aim to Dupe Antifraud Systems. Communications of the ACM 63, 2 (2020), 16–18. . DOI:https://doi.org/10.1145/3374878. Google Scholar
Digital Library
- João Pedro Figueiredo Correia Rijo Mendes. 2011. noPhish—Anti-phishing System using Browser Fingerprinting. Retrieved from https://estagios.dei.uc.pt/cursos/mei/relatorios-de-estagio/?id=279.Google Scholar
- Keaton Mowery and Hovav Shacham. 2012. Pixel perfect: Fingerprinting canvas in HTML5. (2012), 1–12. Retrieved from https://www.ieee-security.org/TC/W2SP/2012/papers/w2sp12-final4.pdf.Google Scholar
- Mozilla. 2021. Service Worker API - Web APIs | MDN. In W2SP. Retrieved from https://developer.mozilla.org/en-US/docs/Web/API/Service_Worker_API.Google Scholar
- Mozilla. 2021. WindowOrWorkerGlobalScope.setTimeout() - Web APIs | MDN. Retrieved from https://developer.mozilla.org/en-US/docs/Web/API/WindowOrWorkerGlobalScope/setTimeout.Google Scholar
- Mozilla and individual contributors. 2021. NavigatorPlugins.plugins - Web APIs | MDN. Retrieved from https://developer.mozilla.org/en-US/docs/Web/API/NavigatorPlugins/plugins.Google Scholar
- Panagiotis Papadopoulos, Panagiotis Ilia, Michalis Polychronakis, Evangelos P. Markatos, Sotiris Ioannidis, and Giorgos Vasiliadis. 2019. Master of web puppets: Abusing web browsers for persistent and stealthy computation. In Network and Distributed System Security Symposium (NDSS). DOI:https://doi.org/10.14722/ndss.2019.23070Google Scholar
Cross Ref
- Davy Preuveneers and Wouter Joosen. 2015. SmartAuth: Dynamic context fingerprinting for continuous user authentication. In Annual ACM Symposium on Applied Computing (SAC). 2185–2191. DOI:https://doi.org/10.1145/2695664.2695908 Google Scholar
Digital Library
- Gaston Pugliese, Christian Riess, Freya Gassmann, and Zinaida Benenson. 2020. Long-term observation on browser fingerprinting: Users’ trackability and perspective. Proc. Priv. Enhancing Technol. 2020, 2 (2020), 558–577. DOI:https://doi.org/10.2478/popets-2020-0041Google Scholar
Cross Ref
- Jordan S. Queiroz and Eduardo L. Feitosa. 2019. A web browser fingerprinting method based on the web audio API. DOI:https://doi.org/10.1093/comjnl/bxy146Google Scholar
- Valentino Rizzo, Stefano Traverso, and Marco Mellia. 2021. Unveiling web fingerprinting in the wild via code mining and machine learning. Proc. Priv. Enhancing Technol. 2021, 1 (2021), 43–63. DOI:https://doi.org/10.2478/popets-2021-0004Google Scholar
Cross Ref
- Florentin Rochet, Kyriakos Efthymiadis, François Koeune, and Olivier Pereira. 2019. SWAT: Seamless web authentication technology. In the Web Conference. 1579–1589. . DOI:https://doi.org/10.1145/3308558.3313637 Google Scholar
Digital Library
- Julian F. Reschke and Roy T. Fielding. 2014. RFC 7231 - Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content. Retrieved from https://tools.ietf.org/html/rfc7231#section-5.5.3.Google Scholar
- Bardia Safaei, Amir Mahdi Monazzah, Milad Bafroei, and Alireza Ejlali. 2017. Reliability side-effects in internet of things application layer protocols. DOI:https://doi.org/10.1109/ICSRS.2017.8272822Google Scholar
- Samsung. 2015. SAMSUNG UMTS Handset UA Prof. http://wap.samsungmobile.com/uaprof/SM-B550H.xml.Google Scholar
- Michael Schwarz, Florian Lackner, and Daniel Gruss. 2019. JavaScript template attacks: Automatically inferring host information for targeted exploits. In Network and Distributed System Security Symposium (NDSS). DOI:https://doi.org/10.14722/ndss.2019.23155Google Scholar
Cross Ref
- SecureAuth. 2020. Device / Browser Fingerprinting - Heuristic-based Authentication. Retrieved from https://docs.secureauth.com/pages/viewpage.action?pageId=33063454.Google Scholar
- Alexander Sjösten, Steven Van Acker, and Andrei Sabelfeld. 2017. Discovering browser extensions via web accessible resources. In ACM Conference on Data and Application Security and Privacy (CODASPY). 329–336. DOI:https://doi.org/10.1145/3029806.3029820 Google Scholar
Digital Library
- Jan Spooren, Davy Preuveneers, and Wouter Joosen. 2015. Mobile device fingerprinting considered harmful for risk-based authentication. In European Workshop on System Security (EuroSec). 6:1–6:6. . DOI:https://doi.org/10.1145/2751323.2751329 Google Scholar
Digital Library
- Jan Spooren, Davy Preuveneers, and Wouter Joosen. 2017. Leveraging battery usage from mobile devices for active authentication. DOI:https://doi.org/10.1155/2017/1367064Google Scholar
- Oleksii Starov and Nick Nikiforakis. 2017. XHOUND: Quantifying the fingerprintability of browser extensions. In IEEE Symposium on Security & Privacy (S&P). 941–956. DOI:https://doi.org/10.1109/SP.2017.18.Google Scholar
Cross Ref
- StatCounter. 2017. Browser Market Share Worldwide | StatCounter Global Stats. Retrieved from https://gs.statcounter.com/browser-market-share/all/worldwide/2017.Google Scholar
- StatCounter. 2017. Operating System Market Share Worldwide | StatCounter Global Stats. Retrieved from https://gs.statcounter.com/os-market-share/all/worldwide/2017.Google Scholar
- K. Takasu, T. Saito, T. Yamada, and T. Ishikawa. 2015. A survey of hardware features in modern browsers: 2015 edition. In International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing (IMIS). 520–524. DOI:https://doi.org/10.1109/IMIS.2015.72.Google Scholar
- Kazuhisa Tanabe, Ryohei Hosoya, and Takamichi Saito. 2018. Combining features in browser fingerprinting. In International Conference on Advances on Broadband and Wireless Computing, Communication and Applications (BWCCA), Leonard Barolli, Fang-Yie Leu, Tomoya Enokido, and Hsing-Chung Chen (Eds.). 671–681. DOI:https://doi.org/10.1007/978-3-030-02613-4_60.Google Scholar
- Adobe Communications Team. 2017. Flash & the Future of Interactive Content. Retrieved from https://blog.adobe.com/en/publish/2017/07/25/adobe-flash-update.html.Google Scholar
- The Carat Team. 2021. Carat Project Statistics. http://carat.cs.helsinki.fi/statistics.Google Scholar
- Kurt Thomas, Frank Li, Ali Zand, Jacob Barrett, Juri Ranieri, Luca Invernizzi, Yarik Markov, Oxana Comanescu, Vijay Eranti, Angelika Moscicki, Daniel Margolis, Vern Paxson, and Elie Bursztein. 2017. Data breaches, phishing, or malware? Understanding the risks of stolen credentials. In ACM SIGSAC Conference on Computer and Communications Security (CCS). 1421–1434. DOI:https://doi.org/10.1145/3133956.3134067. Google Scholar
Digital Library
- Henning Tillmann. 2014. Browser Fingerprinting: 93% of all user configurations are unique | Henning Tillmann. Retrieved from https://www.henning-tillmann.de/en/2014/05/browser-fingerprinting-93-of-all-user-configurations-are-unique.Google Scholar
- Christof Ferreira Torres, Hugo Jonker, and Sjouke Mauw. 2015. FP-block: Usable web privacy by controlling browser fingerprinting. In European Symposium on Research in Computer Security (ESORICS). 3–19. DOI:https://doi.org/10.1007/978-3-319-24177-7_1.Google Scholar
Cross Ref
- T. Unger, M. Mulazzani, D. Frühwirt, M. Huber, S. Schrittwieser, and E. Weippl. 2013. SHPF: enhancing HTTP(S) session security with browser fingerprinting. In International Conference on Availability, Reliability and Security (ARES). 255–261. DOI:https://doi.org/10.1109/ARES.2013.33. Google Scholar
Digital Library
- Narseo Vallina-Rodriguez, Srikanth Sundaresan, Christian Kreibich, and Vern Paxson. 2015. Header enrichment or ISP enrichment?: Emerging privacy threats in mobile networks. In ACM SIGCOMM Workshop on Hot Topics in Middleboxes and Network Function Virtualization (HotMiddlebox). 25–30. DOI:https://doi.org/10.1145/2785989.2786002. Google Scholar
Digital Library
- Antoine Vastel, Pierre Laperdrix, Walter Rudametkin, and Romain Rouvoy. 2018. FP-STALKER: Tracking browser fingerprint evolutions. In IEEE Symposium on Security and Privacy (S&P). 728–741. DOI:https://doi.org/10.1109/sp.2018.00008.Google Scholar
Cross Ref
- Antoine Vastel, Walter Rudametkin, Romain Rouvoy, and Xavier Blanc. 2020. FP-Crawlers: Studying the resilience of browser fingerprinting to block crawlers. In Workshop on Measurements, Attacks, and Defenses for the Web (MADWeb).Google Scholar
Cross Ref
- Rick Waldron. 2021. Generic Sensor API. Retrieved from https://www.w3.org/TR/2021/CRD-generic-sensor-20210619.Google Scholar
- Ding Wang, Zijian Zhang, Ping Wang, Jeff Yan, and Xinyi Huang. 2016. Targeted online password guessing: An underestimated threat. In ACM SIGSAC Conference on Computer and Communications Security (CCS). 1242–1254. DOI:https://doi.org/10.1145/2976749.2978339. Google Scholar
Digital Library
- Stephan Wiefling, Luigi Lo Iacono, and Markus Dürmuth. 2019. Is this really you? An empirical study on risk-based authentication applied in the wild. In IFIP International Conference on ICT Systems Security and Privacy Protection (SEC). 134–148. DOI:https://doi.org/10.1007/978-3-030-22312-0_10.Google Scholar
Cross Ref
- Wenjia Wu, Jianan Wu, Yanhao Wang, Zhen Ling, and Ming Yang. 2016. Efficient fingerprinting-based Android device identification with zero-permission identifiers. IEEE Access 4 (2016), 8073–8083. DOI:https://doi.org/10.1109/ACCESS.2016.2626395.Google Scholar
Cross Ref
- Vasilios Zorkadis and P. Donos. 2004. On biometrics-based authentication and identification from a privacy-protection perspective: Deriving privacy-enhancing requirements. Inf. Manag. Comput. Secur. 12, 1 (2004), 125–137. DOI:https://doi.org/10.1108/09685220410518883.Google Scholar
Cross Ref
Index Terms
A Large-scale Empirical Analysis of Browser Fingerprints Properties for Web Authentication
Recommendations
BrFAST: a Tool to Select Browser Fingerprinting Attributes for Web Authentication According to a Usability-Security Trade-off
WWW '21: Companion Proceedings of the Web Conference 2021In this demonstration, we put ourselves in the place of a website manager who seeks to use browser fingerprinting for web authentication. The first step is to choose the attributes to implement among the hundreds that are available. To do so, we ...
FPSelect: Low-Cost Browser Fingerprints for Mitigating Dictionary Attacks against Web Authentication Mechanisms
ACSAC '20: Annual Computer Security Applications ConferenceBrowser fingerprinting consists into collecting attributes from a web browser. Hundreds of attributes have been discovered through the years. Each one of them provides a way to distinguish browsers, but also comes with a usability cost (e.g., ...
FP-Redemption: Studying Browser Fingerprinting Adoption for the Sake of Web Security
Detection of Intrusions and Malware, and Vulnerability AssessmentAbstractBrowser fingerprinting has established itself as a stateless technique to identify users on the Web. In particular, it is a highly criticized technique to track users. However, we believe that this identification technique can serve more virtuous ...






Comments