Re: [WEB SECURITY] MachineID fingerprinting

["Andy Steingruebl" <steingra@xxxxxxxxx>]

On 8/9/07, Mike Fratto <mfratto@xxxxxxxxx> wrote:
> I know this doens't address your question, Robert but I really have to
> question the value of checking the "familiarity" of a machine for any
> sort of authentication or authorization process in a consumer market
> (I am specifying consumer market since the example is BoA, a consumer
> oriented application) including using a machine ID as a component of
> authentication and authorization.

It isn't a binary choice though.  Its a matter of adding up a number
of factors to make a risk-based authentication decision rather than
just "did username+password match my database?"

Along these lines you can use multiple factors such as GeoLocation,
MachineID, previous usage pattern (location, time of day, etc) to make
a determination about the authentication status for the user.

Part of what you're trying to prevent is the phishing site in the
Ukraine logging in from a Mac to a users account where the user has
only *ever* logged in from Maine on a Windows system.  It isn't a
perfect defense, you're just trying to raise the bar.

- Andy

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]