HELP! Unique device ID using FIDO

[Jie Deng]

Hello team,

I got to know one anti-fraud solution where they generate an unique device identifier based on their FIDO technology in order to prevent account takeover. However, I have been also told that the device identifier will be regenerated if the user chooses to clear cache/cookies. Can anyone explain to me why it happens? My understanding is as long as the user does not change the device, the private key will always resides in the device, hence the device identifier should remain the same as well. it doesn't matter whether the user clears cookies/cache or not.

I am very new to FIDO, any insights or links/materials sharing would be really appreciated!

Thank you in advance,

Jessie

[Solomon Jonah]

 

Azablogger

Yes i can help you if you can pay 

[Tim Cappalli]

Without additional details, it is hard to determine what you're referring to. FIDO protocols do not disclose device identifiers outside of some very specific, enterprise managed use cases.

They may be referring to the credential ID which is part of the credential metadata stored in the authenticator and uniquely identifies the credential.

tim

On Fri, Mar 22, 2024 at 2:16 AM Jie Deng <dengj...@gmail.com> wrote:

This message originated outside your organization.

---

--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/ae2727d2-aba7-458a-a321-0d8a2b79a510n%40fidoalliance.org.

[My1]

I accidentally didn't reply to everyone but just him but my theory is that they use non-resident creds. Is kinda neat as resident creds could easily be abused to identify devices and/or people who might not exactly be aware of what's happening and more or less create a supercookie of sorts especially as eg on windows you can't really delete your resident platform creds last time i checked.

And having a remote cred with the cred id in the cookie can help in the term that you can use fido for a crypto authentication without much friction, while maintaining that clearing cookies, being the sole source of a cred id clears the "identity" of whatever this is doing

To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CACZ9TyD9xVVyvjXpBK49YqJdPEDC9qU4LcUOy%2ByyQ0--kHBvvw%40mail.gmail.com.

[Jie Deng]

Tim, thank you for your insights!

Hey both, can I also ask if UAF protocol can support resident keys?

Jessie

[Tim Cappalli]

There is no formal concept of resident keys in UAF.

[Jie Deng]

Hi Tim,

Can I ask another follow-up question? Assuming the solution has been using non resident keys under FIDO2 standard, if they were using UAF, the scenario (where the device ID will be regenerated when users clear cookies/cache) should not happen, am I right to say that?

Thank you! 

[Tim Cappalli]

UAF is not a web exposed protocol, so there are no cookies at play (directly).