0

For legal purposes, I need to find a way to obtain a "one-to-one" identity of a device that logs in to my web application.

Typically, Ill post a url through SMS or email and the end user opens the link in his/her default browser.

I know Phone number cant be retained consistently. Also, I wouldn't get my hands into flash/active-X objects.

Are there any other ways? Thanks.

kobi segev
  • 59
  • 1
  • 8
  • What is _"a "one-to-one" identity of a device"_ ? – guest271314 Jan 10 '16 at 17:16
  • value that cant be disputed that ensure that this device, is the only device that can have it (I think MAC address follow this, also phone number) – kobi segev Jan 10 '16 at 17:17
  • @CodeiSir ,I can get MAC address if I'll get into activeX/flash, but prefer to avoid that. – kobi segev Jan 10 '16 at 17:20
  • What is expected result ? What is purpose of using a ""one-to-one" identity of a device" ? See also http://stackoverflow.com/questions/3385/mac-addresses-in-javascript – guest271314 Jan 10 '16 at 17:32
  • Ability to point out, indisputably, that this device carried out an action in my web application. – kobi segev Jan 10 '16 at 17:33
  • _"Ability to point out, indisputably, that this device carried out an action in my web application."_ What if ""one-to-one" identity of a device" is spoofed ? How to verify "indisputably" ? Could alternatively create a unique identifier at a "login" or "signup" , provide unique identifier to user. Could then, at least, verify that unique identifier was later used; though could not "indisputably" verify that specific user that identifier was issued to actually used application – guest271314 Jan 10 '16 at 17:36
  • Surely you can keep record of the user's action with ip and time that happened, but generally it's not enough, ip address of mobile devices change a lot, especially when they use wifi outside of their home//office. it's near to impossible to prove that the user was using that particular ip address. – Ahmet Cetin Jan 10 '16 at 17:37
  • @AhmetCetin, true, IP Address cant be used. – kobi segev Jan 10 '16 at 17:43
  • @guest271314 if it can be spoofed it's not an option (for instance IMEI can be spoofed, at least I read it somewhere) – kobi segev Jan 10 '16 at 17:45
  • @kobisegev As far as I understand you need to get operator's identity ( like fingerprint that pressed the button ), device can be stolen, etc. – c-smile Jan 10 '16 at 17:45
  • @guest271314, thanks, for pointing this out, because I start thinking of collecting bio data (pressure, curves etc..) on signatures. It's ~70% of my cases. – kobi segev Jan 10 '16 at 17:49
  • You'll never prove anything indisputably with browser technologies. It will be a level of confidence. Anything you collect is only likely to be used in conjunction with other evidence such that the overall evidence makes it likely that the device in question was the one used. – ChrisC Aug 02 '16 at 23:42

4 Answers4

1

You cannot get unique ID like IMEI or device uuid using HTML/js, but you can create fingerprint of device. Check fingerprint2.js lib: https://github.com/Valve/fingerprintjs2

Ahmet Cetin
  • 3,683
  • 3
  • 25
  • 34
  • Thanks, seen this library It doesnt provide one-to-one identity but a bunch of parameters to minimize tolerance. – kobi segev Jan 10 '16 at 17:25
  • well, indeed, but combination of these parameters make quite unique fingerprint. otherwise, no chance to get devices unique identity using only html/js without using native app. – Ahmet Cetin Jan 10 '16 at 17:27
  • If you're trying to implement something like digital signature, it is a bit broader subject. you may not need to prove using specific id of the device, depending on the case, what you want to achieve. – Ahmet Cetin Jan 10 '16 at 17:39
  • Actually, our end user will draw signatures on pad (e-signature). – kobi segev Jan 10 '16 at 17:51
  • well, in this case you should create additionally pgp signature of the signature together with hash of the document the user is signing, check openpgp.js for this purpose. I just created web app doing the same thing using jSignature, angular and node.js. because of the same problem, not being able to get device's unique id, we additionally were sending sms code to user's phone to enter in the form as an additional measure. legally forging the identity of the user has exactly the same problem on wet-ink signature, so it's not digital signature's problem. – Ahmet Cetin Jan 10 '16 at 17:57
0

There is no way to ensure a Devices identity in a Web-Application.

You can only guess by what the Browser tell's you (I can give you some stuff about that). But it can always be faked by the client.

As you where talking about flash, you might be able to do it with flash/java-applets, some information here. But that is with Browser Plugins, wich many clients might not have.

Community
  • 1
  • 1
CoderPi
  • 12,985
  • 4
  • 34
  • 62
0

When someone visit your website then you can grab his basic information like as Browser identity and his IP Address only . Because these properties are pushed by the user's browser to visited page . You can't get any other information.

Deepak Dixit
  • 1,510
  • 15
  • 24
  • Is that possible to point out (In any mean) a physical identity based on IP AND specific time? – kobi segev Jan 10 '16 at 17:28
  • @kobisegev If you are talking about MAC address then you can't get it because there are no any existence of MAC address outside of the LAN network. You can get the time of visiting using `$_SERVER['REQUEST_TIME']` if you are using PHP as server side language. – Deepak Dixit Jan 10 '16 at 17:46
0

What exactly is your legal requirement and use case?

  • Are you tracking registered users with registered devices?
  • Do you have any control over the devices (e.g. company mobile phones or laptops)?
  • Are you dealing with self-registering users with unknown devices?
  • How accurate does the identification need to be: exact or approximate / risk-based?

Unfortunately device identity is not something available through web browsers. Can you imagine the privacy implications of such a feature? Advertisers and government agencies would love it, everyone else would hate it.

Some organisations use commercial products that attempt to do "device fingerprinting" using a range of techniques including geolocation, IP, browser and device characteristics e.g. resolution, Flash or Silverlight (if installed), that sort of thing. However these are risk-based approaches that are used by banks etc. to determine whether they've seen the device before or not, and if not it pushes the user to provide additional authentication (step-up authentication). It's not a guarantee, it just offers a convenience to recognised users by simplifying the login process.

This is different to what you're asking for though. As other users have said, it's basically not possible because all the information available through the browser is essentially spoof-able and inherently unreliable. Even a single system can end up with multiple fingerprints if the user uses different browsers, for example, or plugs a laptop into a docking station with a monitor attached.

Probably the best you can do is something like you suggested: send a one-time code to the device using something that IS unique to that device such as the mobile phone number, but even this can be bypassed pretty easily. It also comes down to how you find out and verify the device in the first place.

If you're only dealing with pre-registered mobile devices you may have a chance e.g. you could use a native app that registers a custom URI handler on the mobile device to receive a one-time code from the server, and then the app opens a custom link the system browser and passes in this code and some device ID like IMEI (hashed) to your web server.

However if you want to be able to identify PCs, Macs or any other web-enabled device where you don't have control of something at the OS level you're probably going to struggle.

ChrisC
  • 2,393
  • 2
  • 18
  • 24