How to defend against Account Takeovers
Learn about account takeover threats, protection strategies, and detection methods to secure your digital accounts and prevent unauthorised access.
The Google Picasso fingerprinting method, is a lightweight device class fingerprinting protocol that verifies the software and hardware stack of a mobile or desktop client. For instance, it can differentiate between traffic from a genuine iPhone running Safari on iOS and an emulator or desktop client mimicking the same setup. Picasso utilizes the unpredictable yet stable noise produced by a client's browser, operating system, and graphical stack when rendering HTML5 canvases.
Google Picasso is particularly useful in determining whether a connecting client is lying about its user agent.
Key features of Picasso include its resistance to replay and a hardware-bound proof of work. This proof of work requires the client to use a significant amount of CPU and memory to solve challenges. The method has proven effective in distinguishing between 52 million Android, iOS, Windows, and OSX clients across various browsers with 100% accuracy.
Implementations of Picasso involve rendering various primitives on a hidden HTML5 canvases and generating hashes of the resulting graphic. These primitives include text, arcs, Bezier curves, quadratic curves, emojis, and ellipses. Parameters such as the number of rounds (number of primitives drawn), canvas dimensions, and font size scale factor are adjustable. The fingerprint is generated based on these parameters and a random seed.
Related Articles
What is an Account Takeover?
An overview of Account Takeover Attacks
Anatomy of a Credential Stuffing Attack
A step-by-step breakdown of how credential stuffing attacks are carried out, from obtaining stolen credentials to bypassing defenses and taking over accounts.
What is Anycast DNS?
An introduction to Anycast DNS
What is an Apex Domain?
A quick description about what an Apex Domain is.
Best Practices for API Key Management and Rotation
Learn the essential best practices for managing and rotating API keys to enhance security, prevent unauthorized access, and minimize the impact of key compromise.