Device Fingerprinting with Peripheral Timestamps

Authenticate, identify, and track devices based on keyboard, mouse, and touchcreen input in a web browser.

Almost every personal computer is able to sense and process user input from peripheral sensors, like a touchscreen or keyboard. Dozens of components work together in a pipeline from the time a key is pressed until a character appears on screen. These components are fairly unique to each device. This allows fine-grained measurements of DOM event timings in a web browser to reveal timekeeping differences among devices forming the basis for device fingerprinting.

The time an event reaches the web page depends on the behavior of several low-frequency components in the pipeline, including:

  • Polling on the peripheral itself (such as keyboard matrix scanning and touchscreen sampling)
  • Communication between the peripheral and host (USB, PS/2)
  • OS process scheduling (when the IRQ get acknowledged, processed, and passed along to the application)
  • Browser event loop, which schedules events the timing of callbacks within the web page
Low-frequency polling effectively quantizes the event timings in the browser. Because these components may run off of an independent clock from system time, clock skew can be measured without an explicit reference. Besides clock skew, the instantaneous phase of each low-frequency component reveals idiosynchratic behaviors of the device.

This fingerprinting technique works on desktop, laptop, and mobile devices. No special permissions are required to register callbacks to peripheral DOM events, such as keydown and mousemove, making this technique widely applicable. For more information, see the paper (in IEEE S&P 2022).

The plots below each show the power spectral density (PSD) updated in real time for common peripheral DOM events: keydown, mousemove, wheel, and touchmove. Domanint frequencies are peaks in the PSD (labeled in orange), and the fundamental frequency is the lowest frequency that carries a significant amount of energy compared to the rest of the spectrum. Clock skew is measured as a fine-grained estimate of the fundamental frequency shown in the title of each plot (if the fundamental frequency exists). For example, the fundamental may be 125Hz (USB device), but actual running frequency could be slightly faster at 125.001Hz. There are several ways to measure time in a web browser, and both the PSD and fundamental frequency estimates may also differ based on the time source.

Try typing in the textarea below (button mashing is OK), moving the mouse around, scrolling, and clicking to see your device's fingerprint. About 30 events are needed to obtain good estimates, and this improves as more events are generated. The PSD may differ based on physical device, device type (mobile vs desktop), browser family, OS family, and peripheral (USB vs PS/2 keyboard). See the code and submit issues here.

Change the time source: