By Abhinandan Khurana

Reinventing Access Control: Fingerprinting for Credential Protection

Reinventing Access Control: Fingerprinting for Credential Protection
In the evolving landscape of cybersecurity, traditional credential-based security is increasingly viewed as fundamentally broken. At VULNCON 2025, Aditya Singh, a cyber security analyst and independent researcher, presented a compelling talk on how we can move beyond passwords by leveraging something we already leak every day: our digital fingerprint.

What is Digital Fingerprinting?

Unlike cookies, which Aditya describes as removable "name tags," a digital fingerprint is more akin to digital DNA. While cookies require user consent, can be deleted, and fail to work in incognito mode, fingerprinting is a passive collection process that remains persistent. It combines unique characteristics from your hardware, software, and network to create an identifier that is incredibly difficult to spoof or manipulate.

The Four Pillars of Device Intelligence

Aditya’s research categorises fingerprinting into four primary layers, each adding "entropy" to make the final identifier more unique.

  1. Browser Fingerprinting
    This is the front line of identification. Techniques include:
    • Audio Fingerprinting: Using the Web Audio API to see how a browser processes sound. Because different browsers (Chrome vs Firefox) and operating systems handle mathematical optimisations differently, they produce unique audio buffer values.
    • Canvas Fingerprinting: This uses HTML5 canvas elements to render text and shapes. The resulting image depends on your graphics drivers, fonts, and sub-pixel anti-aliasing behaviour, which is then hashed into a unique ID.
    • Favicon Cache: A particularly stealthy method involving the browser's favicon cache. By tracking which favicons (shortcut icons) a browser requests or already has stored, a server can create a unique bit ID for a user that persists even if cookies are cleared.
  1. Device Fingerprinting
    This layer queries the hardware directly.
    • GPU Fingerprinting: By using the WebGL API, researchers can identify the GPU vendor (NVIDIA, AMD, Intel) and test specific rendering capabilities and precision behaviours unique to that hardware.
    • Math Fingerprinting: Different processors and JavaScript engines (like V8 or SpiderMonkey) handle floating-point operations and rounding behaviours with slight variations, allowing for identification based on mathematical precision results.
  1. Network Fingerprinting
    This involves analysing the initial communication patterns. A key technique mentioned is TLS Fingerprinting (specifically JA4). By looking at cipher suites, extensions, and algorithms during the TLS handshake—before encryption even begins—security systems can identify the type of device or even detect C2 malware communications.
  2. Side-Channel Fingerprinting
    The most advanced and "unavoidable" layer
    • CPU Benchmarking: This measures micro-architectural details like cache sizes (L1, L2, L3) and core performance through pointer-chasing scripts.
    • Clock Deviation: Every computer has a quartz crystal oscillator, and no two crystals oscillate at the exact same frequency. This "clock skew" creates a unique signature based on manufacturing tolerances and hardware aging, making it a powerful tool for identification that cannot be simply disabled in settings.

Integrating Fingerprints into Access Control

The goal of this research is not just tracking, but reinventing access control. Aditya suggests that organisations can combine these layers to verify identities during login without bothering the user with extra steps.

This creates a multi-stage defence:

  • Initial Authentication: Verifying the fingerprint alongside credentials.
  • Continuous Verification: Ensuring the fingerprint remains consistent throughout a session.
  • Anomaly Detection: If a user provides the correct password but their fingerprint (e.g., CPU type or clock skew) has completely changed, the system can flag it as a high-risk login or block it entirely.

Is This a Privacy Violation?

While fingerprinting is often associated with tracking, Aditya argues that in the context of security, it is a vital tool for risk-based authentication. Major companies like Google already use these variations to determine the risk level of a login attempt rather than relying solely on passwords. Bypassing such a system is nearly impossible for an attacker, as they would need to replicate the victim's exact hardware, browser extensions, and even the physical quirks of their CPU.

Think of a standard login like a security guard checking an ID card (your password); it can be forged or stolen. Digital fingerprinting is like the guard also recognising your height, the way you walk, and the specific sound of your voice. Even if someone else steals your ID card, they cannot easily replicate your physical presence.