Demystifying Crypto-Binding: Enhancing Security with Transmit Security’s Web Crypto for Device ID

Device identification (or device ID) is a cornerstone of secure authentication systems, ensuring that only trusted devices can access sensitive information and services. This process is essential for multi-factor authentication (MFA), where a device serves as the “something you have” factor, complementing the “something you know” (password) and “something you are” (biometric data) factors. Accurate device identification helps prevent unauthorized access and protects against various security threats, such as account takeovers (ATO) and overall fraud.

Now picture this: You’re in the middle of your dream trip, visiting a country you’ve wanted to see since you were a kid. You need to make a money transfer to pay for an excursion you’re really excited about. But as you try to log in to your bank account, you notice your access has been blocked. Despite being an experienced user with MFA activated, a bad actor has managed to hack your account by hijacking some cookies your bank uses for device ID. Are you ready to say goodbye to your excursion and face a long day of calls and chats with bots trying to regain control of your funds?

In this blog post, we will explore the fundamentals of crypto-binding, a robust alternative to traditional device identification (using cookies and other easily fraudable resources). We will discuss how crypto-binding works, its advantages and how it can be seamlessly implemented using Mosaic by Transmit Security. By leveraging the power of Web Crypto, businesses can achieve more secure and reliable device identification, enhancing their holistic security posture.

Web Crypto explained

As you can acknowledge in the dream-become-a-nightmare situation above, traditional methods of device identification have significant limitations. Device fingerprinting, for example, involves collecting numerous attributes from a device — like browser type, operating system and screen resolution — to create a unique identifier. While useful, these methods are increasingly compromised by privacy concerns and advancements in browser security, since more than 90% of cybersecurity attacks are based on data and credential stealing.

On top of that, modern browsers now limit the amount of accessible information to protect user privacy, which reduces the accuracy and reliability of traditional device ID. This limitation, coupled with the ease of spoofing device attributes by malicious actors, undermines the effectiveness of traditional device fingerprinting in ensuring secure authentication.

To face these challenges, the Web Cryptography API, often referred to as Web Crypto, is a powerful toolset provided by modern web browsers that enables developers to perform cryptographic operations directly within web applications. Its primary purpose is to enhance security by allowing for the encryption and decryption of data, generation and management of cryptographic keys and creation of digital signatures, all within the user’s browser. This capability is critical for implementing robust security measures without relying on external libraries or servers, thereby reducing the potential attack surface.

Web Crypto’s integration into browsers ensures that cryptographic operations can be performed in a secure environment, leveraging the browser’s security model. This means sensitive operations, like key generation and encryption, are handled within the browser itself, minimizing the risk of key exposure and ensuring that data remains protected during transit and storage. By standardizing these operations through the World Wide Web Consortium (W3C), Web Crypto provides a consistent and secure framework for developers to build secure web applications.

To perform cryptography in a fast, secure and reliable manner, Web Crypto builds on core functionalities such as:

• Encryption/decryption: Securely transforms readable data into an unreadable format and vice-versa, ensuring that only authorized parties can access the information.
• Digital signatures: Generates a unique signature for data, which can be used to verify its authenticity and integrity.
• Hashing: Converts input data into a fixed-size string of characters, which is typically used for data integrity checks.
• Key generation: Creates cryptographic keys required for encryption, decryption and signing operations.
• Secure key storage: Safely stores cryptographic keys within the browser, protecting them from exposure and unauthorized access.

How Web Crypto improves the security of device identification

In the context of device ID, Web Crypto utilizes public-key cryptography to establish a unique and secure identity for each device. When a user first accesses a service, the browser generates a cryptographic key pair — a public key and a private key. The private key is securely stored within the browser’s dedicated storage (or in a hardware-backed secure storage, in the case of mobile applications), ensuring it never leaves the device. The public key is sent to the server and bound with the user’s account.

This public-private key pair serves as a digital identifier for the device. When the user attempts to authenticate or perform sensitive operations, the server sends a cryptographic challenge — consisting of a random string of data — to the device. The device uses its private key to sign this challenge and returns the signed data to the server. The server then verifies the signature using the stored public key. If the signature is valid, it confirms that the request is indeed coming from the trusted device, providing a strong assurance of device identity.

This method of device binding offers several advantages over traditional techniques. Since the private key never leaves the device and is never transmitted, it is inherently resistant to man-in-the-middle (MIM) attacks and other forms of interception. Additionally, because the identification relies on cryptographic signatures rather than device attributes, it is immune to spoofing and other common fingerprinting issues. This makes Web Crypto an ideal solution for secure, reliable device identification in modern web applications.

Web Crypto in action: Crypto-binding on the Mosaic platform

Transmit Security leverages the principles of Web Crypto to implement crypto-binding for secure and reliable device identification. This process involves critical steps that ensure both security and usability.

How Transmit Security utilizes crypto-binding for device ID

1. Key pair generation on the device:

When a user first registers their device with the Mosaic platform, the browser generates a cryptographic key pair that consists of a public key and a private key, created using the Web Crypto API. The private key remains securely stored on persistent storage on the browser, while the public key is transmitted to the server.

await window.crypto.subtle.generateKey(
   {
     name: algorithm,
     modulusLength: 2048,
     publicExponent: new Uint8Array([0x01, 0x00, 0x01]),
     hash: 'SHA-256',
   },
   false, // setting the private key non-extractable
   usages,
 );

2. Secure storage of the private key:

The private key is stored in a secure, non-exportable format within the browser’s dedicated storage. This ensures that the private key never leaves the device and cannot be accessed or extracted by malicious entities.

3. Public key binding with the user on the server:

Once the public key is received by the server, it is bound with the user’s account. This association forms the basis for identifying the device in future interactions. The server stores only the public key, which is not sensitive and does not pose a security risk even if exposed.

4. Challenge-response mechanism for device validation using digital signatures:

For device validation during authentication or sensitive operations, the server generates a random challenge — a unique string of data. This challenge is sent to the device, where the private key signs it. The signed challenge is then sent back to the server. The server uses the corresponding public key to verify the signature. If the signature is valid, it confirms that the request originated from the trusted device, thus validating its identity.

async sign(challenge: string): Promise<ArrayBuffer> {
   const { privateKey } = await extractKeysFromBrowserStorage();
   const encoded = new TextEncoder().encode(challenge);
   const signatureBuffer = await window.crypto.subtle.sign(
     {
       name: 'RSA-PSS',
       saltLength: 32,
     },
     privateKey,
     encoded
   );
   return signatureBuffer;
 }

Benefits for Transmit Security customers

Adopting crypto-binding through the Mosaic platform offers significant advantages for financial institutions, e-commerce platforms and other enterprise-scale to small size businesses:

• Streamlined and secure device ID management: Crypto-binding simplifies device ID management by providing a robust and scalable solution for device registration and validation. Organizations can efficiently manage numerous devices associated with their customers, ensuring that each device is securely bound to its respective user. This streamlining reduces administrative overhead and enhances the security posture of the institution.

• Stronger MFA implementation: Multi-factor authentication (MFA) is a critical component of secure access control. By incorporating crypto-binding, Transmit Security enhances MFA implementations with an additional layer of security. The use of cryptographic keys for device validation ensures that even if one authentication factor is compromised, the overall security remains intact. This robust MFA approach is particularly valuable for platforms handling sensitive customer data and financial transactions.

• Improved user experience with minimal device re-registration: Crypto-binding significantly improves the user experience by minimizing the need for frequent device re-registration. Once a device is registered, it can be validated seamlessly during each authentication attempt, eliminating the hassle of repeated setup processes. This convenience is crucial for maintaining customer satisfaction and loyalty, especially in competitive industries where user experience can be a differentiating factor.

• Compliance with market’s key standards and certifications: The use of crypto-binding is supported by various regulatory standards aimed at enhancing security, such as GDPR, PSD2, NIST, FFIEC and PCI DSS.

By integrating crypto-binding journeys into their security infrastructure, Transmit Security customers can achieve a higher level of security and operational efficiency. The enhanced device ID management, stronger MFA and improved user experience collectively contribute to a more secure and user-friendly environment for end-users, ultimately supporting the business goals of financial institutions, e-commerce platforms and other enterprises.

Additionally, Mosaic by Transmit Security provides a state-of-the-art, fully programmable CIAM platform that promotes the fusion of customer identity, identity verification and fraud prevention. This innovative approach includes several key components designed to enhance identity management and security across your whole web environment.

Our platform offers advanced Identity Verification capabilities, ensuring that users are who they claim to be. By leveraging a multitude of verification methods, such as document scanning, biometric checks and database cross-references, Transmit Security enables organizations to verify identities quickly and accurately, never falling to fake IDs and deepfake faces. This comprehensive approach helps reduce fraud and streamline the onboarding process for new users.

With Detection and Response, Transmit Security features a robust mechanism to identify and mitigate security threats in real time. Using advanced AI-driven analytics and machine learning, the platform can detect anomalies and suspicious activities, providing immediate alerts and automated responses to potential threats. This proactive, context-aware security measure helps organizations protect their digital assets and maintain the integrity of their user accounts.

Mosaic includes full-stack authentication services designed to deliver secure and frictionless authentication experiences. With support for a wide range of authentication methods such as biometrics, FIDO2, truly passwordless login and multi-factor authentication (MFA). Based on a wide range of parameters such as device ID, origin IP, sensitivity of the operation and user behavior telemetry, Transmit Security is able to provide different authentication methods for each situation, granting robust security while enhancing user convenience.

Finally, we also provide Identity Orchestration capabilities, allowing organizations to design and implement customized identity workflows. This solution integrates various identity services and technologies into a cohesive framework, enabling seamless user experiences and streamlined operations. Identity orchestration supports dynamic policy enforcement, adaptive authentication, and frictionless user journeys, enhancing overall security and user satisfaction, all with a low-code/no-code approach.

Embrace the future of device identification with crypto-binding

Secure device identification is paramount for protecting sensitive information and ensuring trustworthy interactions. The Web Cryptography API plays a crucial role in this process by enabling a robust cryptographic method to uniquely and securely identify devices. This modern approach overcomes the limitations of traditional device identification, providing a more reliable and secure solution.

Transmit Security leverages the power of crypto-binding to offer a secure, user-friendly solution for device identification. By generating and storing cryptographic keys on the device, and associating public keys with user accounts, Transmit Security enhances security while minimizing privacy risks. This approach not only strengthens MFA usage but also simplifies the user experience, reducing the need for frequent device re-registrations.

Learn more about how our platform can enhance your security infrastructure. Explore the comprehensive solutions Transmit Security offers and request a demo to discover how crypto-binding and our other advanced CIAM features can transform your whole customer identity lifecycle.