Skip to main content

Is your device as unique as you?

(Image credit: Image Credit: ar130405 / Pixabay)

What is more unique than your fingerprint? Are fingerprints even that unique? How do we verify fingerprints online? These are the questions that plagued our data scientists when we first asked them to create a machine learning model that we could use to provide enhanced device intelligence at low latency and global scale with more accuracy than comparable approaches with facial recognition or active biometrics.

This was not a simple challenge; but then no challenge that is worth taking on ever is.

Taking a moment to consider commonly available solutions for device intelligence in the market, most have a fatal flaw around collision rate or longevity. Even worse is when the solution is easily spoofed by attackers.

One example is web cookies which are stored on consumer devices. The usage of cookies grants service providers the ability to customise the consumer experience: from providing customised advertising, to managing the items in a shopping cart, and user sessions across a website. Cookies are so prevalent that many countries adopted laws to protect online privacy, focusing on making consumers aware of how information about them is collected and used online. Modern internet browsers can be configured to remove cookies once a consumer has finished their transaction. This short-term device identification technology provides challenges for service providers but offers consumers a personalised experience that respects their privacy. Cookies are also an avenue for attackers as they give fraudulent devices or spoofed devices the opportunity to gather intelligence about a service providers’ customers. Some attacks may even reuse cookies to visit a service provider’s website pretending to be that previous consumer, reusing their session.

Securing against data breaches

Based on our data 97 per cent of all fraud comes from an anomalous device or network but many industry tools fall short. Focusing on enhanced device intelligence can enable an organisation to block that fraud from their environment while recognising their good customers.

Defending against fraud has never been more important with large data breaches and critical software vulnerabilities making headlines – nearly daily. There has been a surge of device-based attacks powered by undetected botnet devices. For the casual reader, these device-based attacks occur when large groups of internet-connected devices such as computers, smartphones, or IoT devices are breached or compromised. Once breached, the devices are under the control of a third party. By obfuscating legitimate device data around themselves, attackers can hide the data that they are trying to transmit, making it increasingly difficult to identify a fraudulent device on the network. In an ideal situation, once a high-risk device has been detected, companies can prevent the device from penetrating deeper into the network and accessing company data. However, without the correct controls in place, it is extremely difficult to recognise a device across cookie deletions or software updates and by the time a company is aware of a bad device, it is too late.

Nearly all companies – big or small – use device identification as it is the only physical facet of the user in the digital world. Companies use this device to entrust that each time it logs in, it is, in fact, the same legitimate user logging in. This allows the user to bypass additional authentication steps and enjoy a frictionless experience, sometimes even sidestepping usernames and passwords where feasible, which is why recognising legitimate returning devices and the consumer behind the device is critical.

Better devices, increased security risk

Today, manufacturers are building devices with fewer hardware or software defects – which is good news for us, as consumer devices are lasting longer and are built with additional security considerations in mind. No one really wants to get a new device. They’re expensive!

These device protections ‘limit’ the data shared from the device to third-parties – including security companies. With enhanced consumer protections on the device, data is frequently deleted within 30 days, creating friction for companies who are no longer able to recognise previously verified devices. When a company can’t verify your device, they ask for you to log in and verify your identity.

Common solutions

There are many types of device identification that exist in the market today. Two of the most common types are token-based identifier systems and device fingerprinting.

Token-based identification uses a string of numbers that uniquely identify one device using cookies from the browser. This type of identification is very popular because that token can be retrieved through the browser and verified with a high degree of certainty, confirming that the device with that token is one that exists exactly where you would expect it to. The downside is that these tokens disappear within a month.

Device fingerprinting differs from token-based identification in that it does not look to place a verifiable token on the device. It looks to ascertain various attributes from the device and combine and run these attributes through a set of algorithms to determine the uniqueness of the device based on those elements. Device fingerprinting is not as unique as token-based identification (thousands of devices can have the same fingerprint) but can be longer-lasting due to the lack of dependence on cookies which expire after 30 days.

In both of these cases, attackers will commonly spoof the token or device fingerprint data, reducing the effectiveness of the technique for positively verifying a consumer.

Unique device identification

To combat the downfalls of these traditional identification measures, a long-lasting and unique identifier is key. We offer a unique identifier to block traffic coming from fraudulent devices, reduce friction on returning good users, and provide accurate personalisation with a long-lasting unique device identifier. This unique identifier was designed and tested using cloud-based machine learning which enables it to last three to six times longer than the average device identifier and remain globally unique. Our unique device identifier is comprised of a device identifier, device fingerprint, and data points retrieved from the account history. Issuers and retailers are using this unique identifier to accurately recognise devices in spite of cookie deletion, software updates or data spoofing.

Our unique device identifier detects major changes such as a software update. These major changes, known as device breaks, make it hard for common solutions to link the device back to the previously-seen device. As a consumer, you would still hope to have a streamlined experience logging into your account even if you are using an upgraded device. 

The next logical question is; what happens when the user actually changes devices? To bridge this gap, many companies are leveraging biometric factors to augment their device intelligence strategy – making a consumers’ digital fingerprint more unique. We specialise in using passive biometrics to recognise, not just the device, but the human behind the device to provide a frictionless consumer experience and only triggering other authentication factors as required. Our passive biometrics technology evaluates numerous data points to verify a user’s identity on top of the device-based information to increase model confidence. In a similar fashion to how your gait when you walk is unique to you, or the way you shake someone’s hand, the way you use your devices is also distinct and unique to every individual. Passive biometrics ties different devices together, linking them through the consumer’s inherent patterns. By collecting data based on the consumer behind the device this technology enables service providers to accurately identify that the user on device X is the same user that logged into device Y a week ago. The scope in which this technology can be utilised is enormous, with big companies implementing passive biometrics in order to secure who accesses their data or other assets.

Reliable device intelligence is key to the future of cyber-threat protection. In order to maintain true uniqueness in our devices alongside the security of our network environments, it is important to look beyond traditional device ID and fingerprint methods by leveraging data points from the consumers’ history for passive biometric evaluation. In doing so, we can create a seamless and uninterrupted user experience across all devices and updates. By building a unique story behind each device and its user, cyber-threats can be more easily detected and prevented, creating a safer world for both companies and users alike.

Justin Fox, Director, DevOps Engineering, NuData Security (opens in new tab)

Justin Fox is a director of DevOps engineering at NuData Security, a Mastercard company (opens in new tab), an award-winning passive biometrics and behavioral analytics company based in Vancouver, B.C