2

I'm wondering if it would be best practice to use a clients fingerprint as JWT-secret for encoding. However I couldn't find anything in the WWW concerning this question, but so far it makes sense to me to do it.

I'm thinking about generating a fingerprint client-side with JavaScript and sent it to the API with every call. The API should then use the fingerprint with a hard coded secret together for encoding and decoding the token.

Isn't this a good method to prevent CSRF? Or am I missing out on something else? Or in general: What is the best way to prevent CSRF with JWT? (I'm using PHP and VueJS, is there maybe a case related solution?)

1 Answers1

0

I have never heard about that.

A token is signed using a private key or a shared secret. The use of a fingerprint means you can correlate one (or more) fingers to a private key then compute a token.

However, this looks very similar to the Webauthn protocol I am working with. When using Android devices, the browser can interact with the fingerprint/screenlock to authenticate the user. The data sent by the device is a JWT that can be verified using a Google API (see Android SafetyNet).

Spomky-Labs
  • 15,473
  • 5
  • 40
  • 64