BrFAST: a Tool to Select Browser Fingerprinting Attributes for Web Authentication According to a Usability-Security Trade-off

In this demonstration, we put ourselves in the place of a website manager who seeks to use browser fingerprinting for web authentication. The first step is to choose the attributes to implement among the hundreds that are available. To do so, we developed BrFAST, an attribute selection platform that includes FPSelect, an algorithm that rigorously selects the attributes according to a trade-off between security and usability. BrFAST is configured with a set of parameters for which we provide values for BrFAST to be usable as is. We notably include the resources to use two publicly available browser fingerprint datasets. BrFAST can be extended to use other parameters: other attribute selection methods, other measures of security and usability, or other fingerprint datasets. BrFAST helps visualize the exploration of the possibilities during the search of the best attributes to use, compare the properties of attribute sets, and compare several attribute selection methods. During the demonstration, we compare the attributes selected by FPSelect with these selected by the usual methods according to the properties of the resulting browser fingerprints (e.g., their usability, their unicity).


INTRODUCTION
Browser fingerprinting [1,4,7,11] is the collection of attributes from a web browser to build a potentially unique fingerprint. Initially used to track users on the web, this technique can also supplement passwords as an additional web authentication factor as depicted in Figure 1. Hundreds of attributes are available but collecting all of them is unrealistic as their usability cost (e.g., their collection time) would be too high [2]. Moreover, the attributes can be correlated with each other as depicted in Table 1. Previous studies consider a small set of usual attributes [4,7,11], iteratively pick the attribute of the highest entropy -or conditional entropyuntil reaching a threshold [3,5,8,10,12,14], or evaluate every possibility [6]. However, the entropy does not consider the correlations that occur between the attributes. Moreover, the entropy and the conditional entropy do not capture the usability cost induced by the use of the attributes [1]. As for the evaluation of every possibility, we emphasize that it is impractical as the number of possibilities grows exponentially with the number of attributes. We propose a demonstration of FPSelect [1], a rigorous approach to select a subset of the candidate attributes such that the cost of using the fingerprints is low and a minimum security level against dictionary attacks is reached. FPSelect helps to protect against strong dictionary attackers who have the knowledge of the fingerprint distribution among the protected users. To do so, it explores the space of the possible attribute sets using a greedy algorithm inspired by the Beam Search algorithm [9]. This demonstration illustrates how FPSelect can be used by a website manager -the verifier -who seeks to use browser fingerprinting as an additional web authentication factor. We compare the attribute sets selected by FPSelect with those selected by the usual attribute selection methods according to the properties of the resulting browser fingerprints (e.g., their usability cost, their unicity). For this end, we developed BrFAST 1 , an attribute selection tool that performs the attribute selection given a set of parameters (e.g., fingerprint dataset, selection method). Users can use the set of parameters that are provided with BrFAST to perform the attribute selection, or choose their own set of parameters. We notably provide the resources to use two publicly available browser fingerprint datasets. BrFAST can be extended to use other True fr -1 1920 Table 1: Example of browser fingerprints shared by users.
The CookieEnabled attribute provides no distinctiveness but increases the usability cost. The Timezone and the Language attributes are the two most distinctive attributes, but considering them both does not improve the distinctiveness compared to considering Language alone due to their correlation.
parameters: other attribute selection methods, other measures of security and usability, or other fingerprint datasets. BrFAST helps visualize the exploration of the possibilities during the search of the best attribute sets to use, evaluate the properties of attribute sets, and compare several attribute selection methods.

FPSELECT ALGORITHM
In this demonstration we showcase FPSelect [1], a framework to help verifiers select the browser fingerprinting attributes to design their probe. To do so, FPSelect performs a trade-off between the security that the attributes provide against a dictionary attacker and the usability cost that they induce.

Dictionary Attack and Sensitivity Measure
We consider the attackers that managed to obtain the knowledge of a fingerprint distribution (e.g., from a stolen browser fingerprint dataset). These attackers are able to submit a limited number of the most common fingerprints to impersonate as many users as possible.
Given an attribute set, we measure the reach of the attackers by the proportion of the protected users that they manage to impersonate, and call this proportion the sensitivity. Any sensitivity measure can be plugged in FPSelect as long as it is monotonously decreasing when the number of selected attributes increases [1]. Indeed, adding an attribute should decrease the sensitivity if the attribute helps distinguish different browsers, or otherwise keep the sensitivity equal.

Usability Cost Measure
FPSelect also takes a usability cost measure as a parameter, which evaluates the usability cost of an attribute set. Any usability cost measure can be plugged in FPSelect as long as it is strictly increasing with the number of selected attributes. Indeed, adding an attribute requires at least to implement its collection, store its information, and collect it from the browser.

Lattice Model and Exploration Algorithm
FPSelect models the possibility space as a lattice of attribute sets. The elements of this lattice are the subsets of the candidate attributes and the order is the subset relationship. FPSelect leverages an exploration algorithm [1] to find the attribute set that satisfies the sensitivity threshold at a low cost. It starts from the empty set and explores -paths in the lattice until all the paths reach the satisfiability frontier, being a parameter. The satisfiability frontier separates the attribute sets that satisfy the sensitivity threshold from those that do not. The attribute sets right above this frontier satisfy the sensitivity threshold at a lower usability cost than their supersets. Both the optimal solution and the solution found by FPSelect are among these attribute sets. The exploration algorithm explores in priority the supersets of the most efficient 2 attribute sets and includes three pruning methods [1] to reduce the number of explored attribute sets. The exploration algorithm is inspired by the Beam Search algorithm [9] and is part of the Forward Selection algorithms [13]. The computational complexity of the exploration algorithm is of O ( 2 ) with being the number of candidate attributes and being the computational complexity of the sensitivity and usability cost measures. The memory complexity of the exploration algorithm is of O ( 2 ). Figure 2 shows an example of a lattice obtained from the possible attribute sets generated from three candidate attributes.

Experimental Results
We evaluated the performances of FPSelect and compared them to the baselines based on entropy and conditional entropy [1]. The experimental setting was composed of a user population of 30, 000 browsers, a number of explored paths of 1 and 3, a sensitivity threshold between 0.001 and 0.025, and a number of submissions by the dictionary attacker between 1 and 16. The sensitivity was measured as the proportion of impersonated users by the most common fingerprints, considering distance functions between attributes to allow small changes. The usability cost was measured as the weighted sum between the average fingerprint size, the average fingerprint collection time, and the proportion of attribute changes among the observed consecutive fingerprints. Compared to the attribute sets found by the baselines, those found by FPSelect generate fingerprints having a size 12 to 1, 663 times lower, a collection time 9 to 32, 330 times lower, and 4 to 30 times less attribute changes between the consecutive fingerprints. Although FPSelect explores three orders of magnitude more attribute sets compared to the baselines, the usability cost reduction is reflected on each authentication performed by each user.

ATTRIBUTE SELECTION TOOL
We have implemented FPSelect and wrapped it into a full-fledged attribute selection tool: BrFAST. BrFAST is configured with a set of parameters used to process the attribute selection, for which we provide values for anyone to directly use BrFAST as is. BrFAST is modular: other attribute selection methods or measure functions can be plugged-in easily. As the attribute selection process can take time, BrFAST supports the replay of execution traces. We developed BrFAST as a web application in Python3, used Flask 3 for the web application, and used D3.js 4 for the visualization of the lattice exploration.

Parameters of the Attribute Selection Tool
An attribute selection method. The implemented attribute selection methods are the entropy and the conditional entropy, together with FPSelect which is configured with the number of paths explored in the lattice of the possibilities.
A browser fingerprint dataset. The fingerprint dataset is collected from the browser population to protect with the fingerprints being composed of the complete set of attributes. BrFAST includes the resources needed to use two publicly available browser fingerprint datasets. The first dataset 5 is a sample of the dataset used in the FPStalker study [15] and the second comes from an experimentation processed by Henning Tillmann 6 .
Sensitivity and usability cost measures. BrFAST includes a sensitivity and a usability cost measure inspired by [1] that can be trained on the two provided fingerprint datasets. The sensitivity is measured by the proportion of the users that share the most common fingerprints, with a parameter set by the verifier. The usability captures the memory size and the instability of the generated fingerprints.
A sensitivity threshold. The sensitivity threshold is configured by the verifier according to her security requirements.

Visualizations
BrFAST helps understand the inner working of FPSelect, visualize the properties of the selected attributes, and compare the attribute selection methods. The inner working of FPSelect is visualized by the real-time exploration of the lattice of the possibilities -similar to Figure 2 -and the best solution currently found. The properties of an attribute set include its usability cost, its sensitivity, a sample of the resulting fingerprints together with their entropy, their unicity, and their stability. Using the visualization of the properties of the selected attributes, BrFAST helps to compare several attribute selection methods.

SCENARIO
In this demonstration, we showcase FPSelect by comparing its results with those of the baselines using BrFAST. As the attribute selection process can take time, we will replay traces of executions on fingerprint datasets and sets of parameters. These traces will be available for the audience to replay them. Moreover, the audience can also plug fingerprint datasets, sensitivity and usability cost measures, and sets of parameters.

CONCLUSION
In this demonstration, we put ourselves in the place of a website manager that seeks to use browser fingerprinting as an additional web authentication factor. To do so, she has to choose the attributes to collect to compose the browser fingerprints. For this purpose, we developed BrFAST, an attribute selection tool that embarks the FPSelect algorithm to rigorously select browser fingerprinting attributes according to a trade-off between security and usability. Using BrFAST, we compare the attribute sets that are found by FPSelect and by the usual attribute selection methods, as well as the resulting browser fingerprints.