HELP! Unique device ID using FIDO

144 views
Skip to first unread message

Jie Deng

unread,
Mar 22, 2024, 2:16:17 AMMar 22
to FIDO Dev (fido-dev)
Hello team,

I got to know one anti-fraud solution where they generate an unique device identifier based on their FIDO technology in order to prevent account takeover. However, I have been also told that the device identifier will be regenerated if the user chooses to clear cache/cookies. Can anyone explain to me why it happens? My understanding is as long as the user does not change the device, the private key will always resides in the device, hence the device identifier should remain the same as well. it doesn't matter whether the user clears cookies/cache or not.

I am very new to FIDO, any insights or links/materials sharing would be really appreciated!

Thank you in advance,
Jessie

Solomon Jonah

unread,
Mar 22, 2024, 5:45:05 AMMar 22
to Jie Deng, FIDO Dev (fido-dev)
 

Azablogger


Yes i can help you if you can pay 

Tim Cappalli

unread,
Mar 22, 2024, 4:09:31 PMMar 22
to Jie Deng, FIDO Dev (fido-dev)
Without additional details, it is hard to determine what you're referring to. FIDO protocols do not disclose device identifiers outside of some very specific, enterprise managed use cases.

They may be referring to the credential ID which is part of the credential metadata stored in the authenticator and uniquely identifies the credential.

tim

On Fri, Mar 22, 2024 at 2:16 AM Jie Deng <dengj...@gmail.com> wrote:

This message originated outside your organization.




--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/ae2727d2-aba7-458a-a321-0d8a2b79a510n%40fidoalliance.org.

My1

unread,
Mar 22, 2024, 4:46:46 PMMar 22
to Tim Cappalli, Jie Deng, FIDO Dev (fido-dev)
I accidentally didn't reply to everyone but just him but my theory is that they use non-resident creds. Is kinda neat as resident creds could easily be abused to identify devices and/or people who might not exactly be aware of what's happening and more or less create a supercookie of sorts especially as eg on windows you can't really delete your resident platform creds last time i checked.

And having a remote cred with the cred id in the cookie can help in the term that you can use fido for a crypto authentication without much friction, while maintaining that clearing cookies, being the sole source of a cred id clears the "identity" of whatever this is doing

Jie Deng

unread,
Mar 25, 2024, 2:34:40 AMMar 25
to Tim Cappalli, My1, fido...@fidoalliance.org
Tim, thank you for your insights!

Hey both, can I also ask if UAF protocol can support resident keys?

Jessie

Tim Cappalli

unread,
Mar 25, 2024, 11:36:36 AMMar 25
to Jie Deng, My1, fido...@fidoalliance.org
There is no formal concept of resident keys in UAF.

Jie Deng

unread,
Mar 25, 2024, 7:52:25 PMMar 25
to Tim Cappalli, My1, fido...@fidoalliance.org
Hi Tim,

Can I ask another follow-up question? Assuming the solution has been using non resident keys under FIDO2 standard, if they were using UAF, the scenario (where the device ID will be regenerated when users clear cookies/cache) should not happen, am I right to say that?

Thank you! 

Tim Cappalli

unread,
Mar 25, 2024, 8:01:04 PMMar 25
to Jie Deng, My1, FIDO Dev (fido-dev)
UAF is not a web exposed protocol, so there are no cookies at play (directly).
Reply all
Reply to author
Forward
0 new messages