Re: [WEB SECURITY] MachineID fingerprinting

["Mike Fratto" <mfratto@xxxxxxxxx>]

I know this doens't address your question, Robert but I really have to
question the value of checking the "familiarity" of a machine for any
sort of authentication or authorization process in a consumer market
(I am specifying consumer market since the example is BoA, a consumer
oriented application) including using a machine ID as a component of
authentication and authorization.

What do you learn? That a user has returned using the same computer?
So what? Does that mean it is the same human? Looks like security
theater to me.

BTW, since your being vague about the use case and you are OK with
installing software on a users computer, have you looked into TPM
applications. Wave Systems has a few apps and more importantly, an
API. TPM are shipping on more computers and I think Broadcomm even has
a implementation on thier NIC that may come in a card or daughter
board format. The TPM will support multiple users and shouldn't be
easily circumvented.

Just a thought.

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]