Service providers provide many different kinds of services to users via a communication network such as the Internet. Often, the users access these services using different devices. For example, a user may access a banking service via a laptop computer, a tablet, and a smart phone at different times and/or from different locations. Other examples include users watching movies or other content from an online content provider, and users accessing medical information, using different devices at different times and places. In order to provide such services, service providers often register the user devices. More than one device can be associated with a user. Such registration can allow a service provider to ensure that when a service request is received from a device, only an authorized user is in fact accessing the service. The likelihood of unauthorized access to sensitive user information, such as banking records, credit card transactions, medical records, online shopping records, etc., can also be minimized if the service provide can recognize a requesting device as that associated with an authorized user.
To facilitate device recognition, some systems collect and transmit device data to a service provider's server during the initial registration process. Such device data may include device characteristics such as a phone number, an identifier associated with circuitry of the device, an identifier associated with a carrier, a signature associated with a software component installed on the device, information about the operating system (OS) on the device, etc. The same device characteristics are collected and transmitted to the server again when the device is subsequently used to request a service. At the service provider's server, if the subsequently received data matches with the data stored at the server during the initial registration, the requesting device may be recognized as a returning device.
This technique encounters a number of problems, however. First, one or more device characteristics often change for legitimate reasons. For example, the OS may be upgraded and one or more other software components such as apps installed on the device may be removed or updated. Users may replace one carrier with another and, in some cases, may change a phone number associated with the device. Should any of the device characteristics that are used in device recognition change, the known techniques typically fail to recognize the device as a returning device. This may cause some inconvenience to the user. For example, the user may have to repeat the registration process.
Second, a malicious user (also called an adversary) can anonymize a device, causing the service provider's server to erroneously determine that a returning device is a new device, and use this error to the adversary's advantage. For example, an online content provider may run a promotion where the first visit to the content provider's service grants access to the content for free, while later visits would require a paid subscription. An adversary may change a particular device characteristic before each visit, so that the content provider's server fails to recognize that the device is actually a returning device and grants free access to the content to the adversary more than once.
Third, a malicious user (adversary) may spoof a device by replacing the device characteristics with those of another device. The service provider's server may erroneously determine that the requesting device is the other device, and may grant access to service and/or data relating to the user of the other device to the adversary.
The table below illustrates a characteristic of failure rates. The diagonal from top left to bottom right illustrates correct behavior. The other diagonal illustrates erroneous behavior. The rate at which a new device (device which has not yet been observed) is erroneously associated with an identifier (ID) of a returning device is the False Accept Rate (FAR). The rate at which a returning device is erroneously failed to be identified is the False Reject Rate (FRR).
Identified with returning IDIdentified with new IDReturning DeviceCorrectFalse reject rateNew DeviceFalse accept rateCorrect
The FAR and FRR may be attributed to either inadvertent issues in the identification solution, or portions of the FAR and FRR may be associated with attacks. A spoof attack contributes to the FAR because an adversary fools the system into attributing a different device's returning ID. An anonymization attack contributes to the FRR because the solution fails to re-identify a returning device.