this post was submitted on 14 Feb 2024
264 points (89.3% liked)
Technology
59587 readers
2472 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Totally! Browser and device fingerprinting are commonly used as first-line defenses against ATOs (account takeovers). There are other kinds of fingerprinting, like those that can learn about your installed hardware and drivers. Really, I'm learning about more fingerprinting methods all the time. That said, decisions are usually made based on several different information sources. These include variables like:
There's even some buzz around "behavioral biometrics" to identify individuals by how they type, but this is still not the sole method of identification. It's mainly about flagging bots who don't type like humans. However, learning how an individual types can help you determine if a subsequent visitor is the actual account owner or a bad actor.
In my experience, fingerprinting and adjacent identity proofs are rarely used in isolation. They're often employed for step-up authentication. That means if something doesn't match up, you get hit with a 2FA/MFA prompt.
Step-up can be pretty complex if you want it to be, though, with tons of cogs and gears in the background making real-time adjustments. Like you might not even realize you've been restricted during a session when you log in to your bank account, but once you try to make a transfer, you'll get an MFA prompt. That's the UX people in action, trying to minimize friction while maintaining security.