Re: [WEB SECURITY] MachineID fingerprinting

[robert@xxxxxxxxxxxxx]

Installing an application is acceptable, using browser level device fingerprinting is also acceptable.
The goal isn't to use as authentication, merely use it as a way to identify familiarity of the user before
allowing a login. If it doesn't know the user they may need to login, and provide an additional level of information
to login. If they are known they won't need to perform the additional challenge. BOA asks additional questions
if you are from a new machine for example and even if you have my credentials, you still need to also obtain
the additional layer of info which may rotate question wise. Ignore phishing use cases, think account brute force
protection methods.

This is about as specific as I can get given this is something of interest and isn't decided upon in any way. Just curious
how this sort of thing has worked for others.

Regards,
- Robert


> 
> On 8/8/07, robert@xxxxxxxxxxxxx <robert@xxxxxxxxxxxxx> wrote:
> > Client side certificates is impossible for this specific implementation
> 
> Now you got me curious.  Can you share a bit about the threat-model
> and the constraints here?  For example, is installing client-side code
> OK?
> 
> Cheers,
> Brian
> 


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]