"Guess Who ?" Large-Scale Data-Centric Study of the Adequacy of Browser Fingerprints for Web Authentication

TL;DR

This large-scale study evaluates browser fingerprints' potential as a web authentication factor, analyzing their uniqueness, stability over time, and practicality, and finds they are promising for enhancing security.

Contribution

The paper provides a comprehensive empirical analysis of browser fingerprints' properties, assessing their suitability and practicality for web authentication.

Findings

81% unicity rate among nearly 2 million browsers

Over 90% of attributes remain unchanged after 6 months

Fingerprints are quick to collect and lightweight in size

Abstract

Browser fingerprinting consists in collecting attributes from a web browser to build a browser fingerprint. In this work, we assess the adequacy of browser fingerprints as an authentication factor, on a dataset of 4,145,408 fingerprints composed of 216 attributes. It was collected throughout 6 months from a population of general browsers. We identify, formalize, and assess the properties for browser fingerprints to be usable and practical as an authentication factor. We notably evaluate their distinctiveness, their stability through time, their collection time, and their size in memory. We show that considering a large surface of 216 fingerprinting attributes leads to an unicity rate of 81% on a population of 1,989,365 browsers. Moreover, browser fingerprints are known to evolve, but we observe that between consecutive fingerprints, more than 90% of the attributes remain unchanged after nearly 6 months. Fingerprints are also affordable. On average, they weigh a dozen of kilobytes, and are collected in a few seconds. We conclude that browser fingerprints are a promising additional web authentication factor.