17

When you enable two step verification for google accounts, you get sent a code by SMS to enter in addition to your username and password the first time you log in with a new device.

How do they detect that you're on a new device? I imagine for security it's probably a serverside generation of a device fingerprint, however surely one iPhone 5 is much like another - how can they be differentiated given the way the service works?

Oliver Kohll
  • 281
  • 1
  • 2
  • 3
  • 5
    Thinking about it, I guess it's a cookie – Oliver Kohll Jun 08 '13 at 10:16
  • possible duplicate of [Can a website still detect my real MAC address even if I use different virtual machine each time I visit the website?](http://security.stackexchange.com/questions/36583/can-a-website-still-detect-my-real-mac-address-even-if-i-use-different-virtual-m) – Adi Jun 08 '13 at 11:56

2 Answers2

15

It uses cookies (more specifically, the SMSV cookie h/t @Tomer). Use chrome in normal mode and login with 2FA. Open an incognito session* of Chrome and it will be a "new device". The only difference between the two is that the latter doesn't have any cookies (maybe it also has a different set of extensions, but it is unlikely that Google is using browser fingerprinting*)

In fact, I am under the impression said cookie only lasts for 30 days.

*make sure that if you have any extensions, they are ALL allowed in incognito mode, and you will see there is no "browser fingerprinting", as per @David Houde's answer.

Gaia
  • 750
  • 1
  • 6
  • 13
2

I am not entirely sure what Google uses, but there are many ways to identify a system, none of which are 100%.

The most common would be using cookies or localstorage to hold a unique identifier.

Another common method is to store User-Agent data, among others like Resolution/Color Depth, Time Zone, Available Fonts, and even Browser Plugins. While these do a good job at adding to the fingerprint, in the event of a targetted attack, this information is more or less public (or at very best relatively easy to aquire), and easy to spoof.

There is some good information at EFF if you are interested in browser fingerprinting.

aug
  • 103
  • 5
David Houde
  • 5,504
  • 1
  • 27
  • 22