0

I need to get the serial number or some information that doesn't change from the user's device, I thought about getting IPV4 but depending on where the user is it can change and all the logic I tried to implement didn't work, I'm doing it in an MVC project .net 6.0 and this logic I'm trying to implement in C# but it would be possible in JavaScript I would also use this information to automate the user's login, using a security device already pre-registered by him

josé djalma
  • 25
  • 6
  • Are you looking for something like a device/browser fingerprint? – Scott Jul 27 '22 at 17:03
  • Well, I tried to implement Fingerprint in the project, but from what I saw in the documentation to implement it, you need to register an SSL address and in my tests I'm only using LocalHost, but if I could get around this it would be a good option – josé djalma Jul 27 '22 at 17:08
  • @josédjalma what documentation? What are you trying to do? If you want a simple way to fingerprint devices, look into the free version of FingerprintJS. It will generate a hash unique to the browsing device. Note that it isn't foolproof and anyone sufficiently determined can spoof the fingerprints, but if you just need a general solution for generating a unique identifier for site visitors then it should suit your needs. – h0r53 Jul 27 '22 at 17:13
  • Unfortunately this falls under Client-Side Security, which is always a best effort and never perfect. Popular websites pay lots of money to stop bot developers and the best bot developers still bypass the antibot technologies. It's an imperfect solution. If you must, look into multifactor authentication as an additional barrier. – h0r53 Jul 27 '22 at 17:16
  • I based myself on this site: https://dev.fingerprint.com/docs and it says that it is necessary to create this certificate, and yes, this would end up being a facilitator to log in but it would not only have that, it would still have a verification in two steps (this one is already working) – josé djalma Jul 27 '22 at 17:18
  • The OS provides one. Linux: `cat /etc/machine-id` or Windows: `HKLM:\Software\Microsoft\Cryptography\MachineGuid` But the browser specifically does not as a security feature: See [How do I uniquely identify computers visiting my web site?](https://stackoverflow.com/questions/216542/how-do-i-uniquely-identify-computers-visiting-my-web-site) – Wyck Jul 27 '22 at 17:19
  • If you already have multifactor authentication AND you're setting up FingerprintJS then my opinion is that is sufficient. If your site is high profile and needs additional web security, then I'd recommend looking into a commercial antibot solution. They aren't perfect, but they have large teams and budgets dedicated to this subject. Note: I don't believe FingerprintJS actually requires a SSL certificate unless you're doing a subdomain configuration. All the fingerprinting code runs in the browser anyways, nothing to do with SSL on your site. I've used the free version of FPJS without a cert. – h0r53 Jul 27 '22 at 17:24
  • Please provide enough code so others can better understand or reproduce the problem. – Community Jul 27 '22 at 17:28

1 Answers1

0

Disclaimer: I work at Fingerprint.

I would also use this information to automate the user's login, using a security device already pre-registered by him

It might be a good idea to use a browser identifier (fingerprint/visitorId) as a decision point for further choices (e.g. whether to challenge a user with another factor or put some additional barriers). It's not a good idea to use a fingerprint/visitorId as a password replacement. There might be falsy results and this technology is not intended to replace passwords.

Moreover, I'd like to correct some misconceptions from the question and comments.

but from what I saw in the documentation to implement it, you need to register an SSL address

Open source FingerprintJS is a pure client-side library. There are no HTTP APIs, servers, or requests. You don't perform any Subdomain setup whatsoever.

The Subdomain setup and SSL certificates are related to the Fingerprint Pro, it's a different service (take a look at Pro vs open source comparison). The Subdomain setup improves accuracy among other benefits. You can try the service on localhost without it. Moreover, with the Subdomain setup, you can develop your app on localhost without any limitations as well.

It will generate a hash unique to the browsing device

This is not correct, they are not unique at 100% cases. The accuracy of the open source FingerprintJS is ~60%. The accuracy of Fingerprint Pro is ~99.5%. Nevertheless, there might be some false positives/negatives. This is the main reason why it's not a good idea to use fingerprint/visitorId as a password replacement.

Martin Makarsky
  • 2,580
  • 1
  • 17
  • 28
  • thanks for the clarification and I also have to congratulate you, this tool is very good and still open source, thank you very much – josé djalma Sep 09 '22 at 18:03