Skip to main content
SpringerLink
Log in

Scalable and Secure HTML5 Canvas-Based User Authentication

  • Conference paper
  • First Online:
Applied Cryptography and Network Security Workshops (ACNS 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13285))

Included in the following conference series:

  • 1076 Accesses

Abstract

Although browser fingerprinting has been widely studied from a privacy angle, there is also a case for fingerprinting in the context of risk-based authentication. Given that most browser-context features can be easily spoofed, APIs that potentially depend both on software and hardware have gained interest. HTML5 Canvas has been shown to provide a certain degree of characterization of a browser. However, multiple research questions remain open. In this paper, we study how to use this API for browser fingerprinting in a scalable way by means of a Siamese deep neural network. We also explore the limits of this technique on modern browsers that are progressively standardizing the Canvas outputs. On our evaluation using over 200 browser instances, we obtain an 82% accuracy in distinguishing browser instances in our dataset and 92% if the model only distinguishes between users with a different browser or OS. Our model has a 0% false-rejection rate and up to 36% average false acceptance rate on simulated attacks, that occurs mostly when victims and attackers share the same browser model and version and the same OS.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://coveryourtracks.eff.org/.

References

  1. Acar, G., Eubank, C., Englehardt, S., Juarez, M., Narayanan, A., Diaz, C.: The web never forgets: persistent tracking mechanisms in the wild. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 674–689. ACM, New York (2014). https://doi.org/10.1145/2660267.2660347

  2. Addons Mozilla: CanvasBlocker (2021). https://addons.mozilla.org/en-US/firefox/addon/canvasblocker/

  3. Al-Fannah, N.M., Li, W., Mitchell, C.J.: Beyond cookie monster amnesia: real world persistent online tracking. In: Chen, L., Manulis, M., Schneider, S. (eds.) ISC 2018. LNCS, vol. 11060, pp. 481–501. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-99136-8_26

    Chapter  Google Scholar 

  4. Al-Fannah, N.M., Mitchell, C.: Too little too late: can we control browser fingerprinting? J. Intellect. Capital 21(2), 165–180 (2020). https://doi.org/10.1108/JIC-04-2019-0067. https://www.emerald.com/insight/content/doi/10.1108/JIC-04-2019-0067/full/html

  5. Alaca, F., van Oorschot, P.: Device fingerprinting for augmenting web authentication. In: Proceedings of the 32nd Annual Conference on Computer Security Applications, vol. 5-9-Decemb, pp. 289–301. ACM, New York (2016). https://doi.org/10.1145/2991079.2991091

  6. Andriamilanto, N., Allard, T., Guelvouit, G.L.: FPSelect: low-cost browser fingerprints for mitigating dictionary attacks against web authentication mechanisms. In: ACM International Conference Proceeding Series, vol. 1, no. 1, pp. 627–642 (2020). https://doi.org/10.1145/3427228.3427297. https://arxiv.org/abs/2010.06404

  7. Bharadwaj, S., Vatsa, M., Singh, R.: Biometric quality: a review of fingerprint, iris, and face. EURASIP J. Image Video Process. 2014(1), 1–28 (2014). https://doi.org/10.1186/1687-5281-2014-34

    Article  Google Scholar 

  8. Blanco-Gonzalo, R., Lunerti, C., Sanchez-Reillo, R., Guest, R.: Biometrics: accessibility challenge or opportunity? PLOS ONE 13(4), 1 (2018). https://doi.org/10.1371/journal.pone.0196372

    Article  Google Scholar 

  9. Boerman, S.C., Kruikemeier, S., Borgesius, F.J.Z.: Online behavioral advertising: a literature review and research agenda. J. Advertising 46(3), 363–376 (2017)

    Article  Google Scholar 

  10. Bursztein, E., Malyshev, A., Pietraszek, T., Thomas, K.: Picasso: lightweight device class fingerprinting for web clients. In: Proceedings of the 6th Workshop on Security and Privacy in Smartphones and Mobile Devices, pp. 93–102. ACM, New York (2016). https://doi.org/10.1145/2994459.2994467

  11. Cao, Y., Li, S., Wijmans, E.: (Cross-)Browser fingerprinting via OS and hardware level features. In: Proceedings 2017 Network and Distributed System Security Symposium. Internet Society, Reston (2017). https://doi.org/10.14722/ndss.2017.23152

  12. Daud, N.I., Haron, G.R., Othman, S.S.S.: Adaptive authentication: implementing random canvas fingerprinting as user attributes factor. In: 2017 IEEE Symposium on Computer Applications & Industrial Electronics (ISCAIE), pp. 152–156. IEEE (2017). https://doi.org/10.1109/ISCAIE.2017.8074968. https://ieeexplore.ieee.org/document/8074968/

  13. Durey, A., Laperdrix, P., Rudametkin, W., Rouvoy, R.: FP-redemption: studying browser fingerprinting adoption for the sake of web security. In: Bilge, L., Cavallaro, L., Pellegrino, G., Neves, N. (eds.) DIMVA 2021. LNCS, vol. 12756, pp. 237–257. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-80825-9_12

    Chapter  Google Scholar 

  14. Eckersley, P.: How unique is your web browser? In: Atallah, M.J., Hopper, N.J. (eds.) PETS 2010. LNCS, vol. 6205, pp. 1–18. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14527-8_1

    Chapter  Google Scholar 

  15. Englehardt, S., Narayanan, A.: Online tracking. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 1388–1401. ACM, New York (2016). https://doi.org/10.1145/2976749.2978313

  16. Fifield, D., Egelman, S.: Fingerprinting web users through font metrics. In: Böhme, R., Okamoto, T. (eds.) FC 2015. LNCS, vol. 8975, pp. 107–124. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-47854-7_7

    Chapter  Google Scholar 

  17. Firefox Help: Firefox’s protection against fingerprinting. https://support.mozilla.org/en-US/kb/firefox-protection-against-fingerprinting

  18. Gómez-Boix, A., Laperdrix, P., Baudry, B.: Hiding in the crowd. In: Proceedings of the 2018 World Wide Web Conference on World Wide Web, WWW 2018, pp. 309–318. ACM Press, New York (2018). https://doi.org/10.1145/3178876.3186097

  19. Iqbal, U., Englehardt, S., Shafiq, Z.: Fingerprinting the fingerprinters: learning to detect browser fingerprinting behaviors. In: 2021 IEEE Symposium on Security and Privacy (SP), pp. 1143–1161 (2020). https://doi.org/10.1109/SP40001.2021.00017

  20. Jiang, W., Wang, X., Song, X., Liu, Q., Liu, X.: Tracking your browser with high-performance browser fingerprint recognition model. China Commun. 17(3), 168–175 (2020). https://doi.org/10.23919/JCC.2020.03.014

    Article  Google Scholar 

  21. Koch, G., Zemel, R., Salakhutdinov, R.: Siamese neural networks for one-shot image recognition. In: 32nd International Conference on Machine Learning, Lille, France, vol. 37, pp. 1–8 (2015). https://doi.org/10.1136/bmj.2.5108.1355-c. https://www.bmj.com/lookup/doi/10.1136/bmj.2.5108.1355-c

  22. Laperdrix, P., Avoine, G., Baudry, B., Nikiforakis, N.: Morellian analysis for browsers: making web authentication stronger with canvas fingerprinting. In: Perdisci, R., Maurice, C., Giacinto, G., Almgren, M. (eds.) DIMVA 2019. LNCS, vol. 11543, pp. 43–66. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-22038-9_3

    Chapter  Google Scholar 

  23. Laperdrix, P., Bielova, N., Baudry, B., Avoine, G.: Browser fingerprinting: a survey. ACM Trans. Web 14(2), 1–33 (2020). https://doi.org/10.1145/3386040

    Article  Google Scholar 

  24. Mowery, K., Shacham, H.: Pixel perfect: fingerprinting canvas in HTML5. In: Web 2.0 Security & Privacy 20 (W2SP), pp. 1–12 (2012)

    Google Scholar 

  25. Nikiforakis, N., Kapravelos, A., Joosen, W., Kruegel, C., Piessens, F., Vigna, G.: Cookieless monster: exploring the ecosystem of web-based device fingerprinting. In: 2013 IEEE Symposium on Security and Privacy, pp. 541–555. IEEE (2013). https://doi.org/10.1109/SP.2013.43

  26. Pagnin, E., Mitrokotsa, A.: Privacy-preserving biometric authentication: challenges and directions. Secur. Commun. Netw. 2017(1), 9 (2017). https://doi.org/10.1155/2017/7129505

    Article  Google Scholar 

  27. Pasquini, C., Amerini, I., Boato, G.: Media forensics on social media platforms: a survey. EURASIP J. Inf. Secur. 2021(1), 1–19 (2021). https://doi.org/10.1186/s13635-021-00117-2

    Article  Google Scholar 

  28. Pedregosa, F., et al.: Scikit-learn: machine learning in Python. J. Mach. Learn. Res. 12, 2825–2830 (2011)

    MathSciNet  MATH  Google Scholar 

  29. Pugliese, G., Riess, C., Gassmann, F., Benenson, Z.: Long-term observation on browser fingerprinting: users’ trackability and perspective. Proc. Priv. Enhancing Technol. 2020(2), 558–577 (2020). https://doi.org/10.2478/popets-2020-0041

    Article  Google Scholar 

  30. Reitinger, N., Mazurek, M.L.: ML-CB: machine learning canvas block. Proc. Priv. Enhancing Technol. 2021(3), 453–473 (2021). https://doi.org/10.2478/popets-2021-0056. https://www.sciendo.com/article/10.2478/popets-2021-0056

  31. Rochet, F., Efthymiadis, K., Koeune, F., Pereira, O.: SWAT: seamless web authentication technology. In: The World Wide Web Conference on WWW 2019, vol. 2, pp. 1579–1589. ACM Press, New York (2019). https://doi.org/10.1145/3308558.3313637

  32. Samizade, S., Shen, C., Si, C., Guan, X.: Passive browser identification with multi-scale convolutional neural networks. Neurocomputing 378, 238–247 (2020). https://doi.org/10.1016/j.neucom.2019.10.028

    Article  Google Scholar 

  33. Solomos, K., Kristoff, J., Kanich, C., Polakis, J.: Tales of favicons and caches: persistent tracking in modern browsers. In: Proceedings 2021 Network and Distributed System Security Symposium, p. 18. Internet Society, Reston (2021). https://doi.org/10.14722/ndss.2021.24202

  34. StatCounter Global Stats: Desktop browser market share worldwide. https://gs.statcounter.com/browser-market-share/desktop/worldwide

  35. Vastel, A., Rouvoy, R., Rudametkin, W.: Tracking versus security: investigating the two facets of browser fingerprinting. Ph.D. thesis, Université de Lille (2019)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Appgate Inc., Bogotá, Colombia

    Esteban Rivera, Christian López & Johana Flórez

  2. Department of Computer Science, ETH Zürich, Zürich, Switzerland

    Martín Ochoa

  3. University College London, London, UK

    Jesús Solano

  4. Aalto University, Espoo, Finland

    Lizzy Tengana

Authors
  1. Esteban Rivera
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Lizzy Tengana
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jesús Solano
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Christian López
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Johana Flórez
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Martín Ochoa
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Esteban Rivera .

Editor information

Editors and Affiliations

  1. Singapore University of Technology and Design, Singapore, Singapore

    Jianying Zhou

  2. University of Bristol, Bristol, UK

    Sridhar Adepu

  3. University of Malaga, Malaga, Spain

    Cristina Alcaraz

  4. Radboud University Nijmegen, Málaga, The Netherlands

    Lejla Batina

  5. Sapienza University of Rome, Rome, Roma, Italy

    Emiliano Casalicchio

  6. Singapore University of Technology and Design, Singapore, Singapore

    Sudipta Chattopadhyay

  7. Centrum Wiskunde & Informatica, Amsterdam, The Netherlands

    Chenglu Jin

  8. University of Science and Technology of China, Hefei, China

    Jingqiang Lin

  9. University of Padua, Padua, Italy

    Eleonora Losiouk

  10. Concordia University, Montreal, QC, Canada

    Suryadipta Majumdar

  11. Technical University Denmark, Kongens Lyngby, Denmark

    Weizhi Meng

  12. Delft University of Technology, Delft, The Netherlands

    Stjepan Picek

  13. Zhejiang Gongshang University, Hangzhou, China

    Jun Shao

  14. University of Aizu, Aizu-Wakamatsu, Japan

    Chunhua Su

  15. City University of Hong Kong, Hong Kong, Hong Kong

    Cong Wang

  16. Delft University of Technology, Delft, The Netherlands

    Yury Zhauniarovich

  17. Rutgers University, Piscataway, NJ, USA

    Saman Zonouz

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Rivera, E., Tengana, L., Solano, J., López, C., Flórez, J., Ochoa, M. (2022). Scalable and Secure HTML5 Canvas-Based User Authentication. In: Zhou, J., et al. Applied Cryptography and Network Security Workshops. ACNS 2022. Lecture Notes in Computer Science, vol 13285. Springer, Cham. https://doi.org/10.1007/978-3-031-16815-4_30

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-16815-4_30

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-16814-7

  • Online ISBN: 978-3-031-16815-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation