Chapter 5. Alternate Methods of Identification

Because of the heavy intersection between mobile devices, desktop clients, and a new breed of connected hardware out of the Internet of Things, the demand for a new class of authentication and authorization technology is on the rise. This chapter covers upcoming standards such as FIDO that enable covering multiple form factors and are able to scale beyond software-based authentication technology.

Device and Browser Fingerprinting

Next to regular authentication and authorization scenarios, device and browser fingerprinting allows for a more passive way to identify users across a big target group. Applications like Am I Unique? are broadly available and can leverage many factors in order to determine whether a user is unique.

When performing device and browser fingerprinting, the user is usually tested against some very general and broad factors—such as the device’s platform, the current browser, or whether cookies are enabled on the device—and then against more granular and subtle determinants, like the device’s resolution, time zone, the browser’s enabled plug-ins, or user agent. When Flash is enabled, services like Am I Unique? or Panopticlick are even able to obtain a list of currently installed fonts.

Eight factors can be concatenated and lead to a browser’s fingerprint (Table 5-1).

Table 5-1. Browser measurements to determine uniqueness
Variable Obtained through

User Agent

HTTP

Get Identity and Data Security for Web Development now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.