BACKGROUND

[0001] Device authentication is the proving of the identity of a device - i.e., that an electronic device is the particular device that it purports to be. Authentication differs from identification, which is the determining of identity, in that authentication verifies identity. Device authentication further differs from user authentication, which is proving of the identity of a user, who may currently be using a given device.

BRIEF DESCRIPTION OF THE DRAWINGS [0002] FIG. 1 is a flowchart of an example method for generating a device fingerprint of an electronic device at time of manufacture of the device.

[0003] FIG. 2 is a flowchart of an example method for authenticating an electronic device.

[0004] FIG. 3 is a flowchart of an example method for authenticating an electronic device based on its device fingerprint as encrypted with a timestamp. [0005] FIG. 4 is a flowchart of an example method for authenticating an electronic device based on a cryptographic log of component interrogation used to acquire component attributes encoded in the device’s device fingerprint. [0006] FIG. 5 is a flowchart of an example method for authenticating an electronic device based on its device fingerprint integrally. [0007] FIG. 6 is a flowchart of an example method for authenticating an electronic device based on component attributes encoded within the device’s device fingerprint.

[0008] FIG. 7 is a flowchart of an example method for authenticating an electronic device based on the device’s components having attributes encoded within the device’s device fingerprint.

[0009] FIG. 8 is a flowchart of an example method for updating a device fingerprint of an electronic device at time of replacement of a component having attributes encoded within the fingerprint. [0010] FIG. 9 is a diagram of an example non-transitory computer- readable data storage medium.

[0011] FIG. 10 is a flowchart of an example method.

[0012] FIG. 11 is a diagram of an example electronic device.

DETAILED DESCRIPTION [0013] As noted in the background, device authentication is the proving of the identity of a device - i.e., that an electronic device is the particular device that it purports to be. Device authentication is used in a number of different computing scenarios. For example, an electronic device like a computing device or a peripheral device may be authenticated before receiving authorization to perform certain actions, including accessing particular data, resources, and services as well as performing particular functions. The device may be authenticated apart from authentication of a user who may currently be using the device. [0014] An electronic device may be authenticated based on a unique identifier of the device. For example, a device that has network connectivity may be authenticated based on a unique address of its network adapter, such as its media access controller (MAC) address. However, authentication on this basis can be problematic. First, such a unique identifier can be easily spoofed, in that a malicious device can take on the MAC address of another device to impersonate the latter device. Second, the unique identifier may change over the life of a device. For example, if the network adapter of a device is replaced, then the device will have a new MAC address, and therefore cannot be authenticated based on the MAC address of its prior network adapter.

[0015] Techniques described herein provide for device authentication based on a device fingerprint encoding attributes of a number of components of an electronic device. Even if a small number of (less or non-critical) components are replaced within an electronic device, the resulting device fingerprint will remain sufficiently similar to the device’s prior fingerprint for successful authentication. The device fingerprint can further be generated in a way to minimize the potential for spoofing.

[0016] FIG. 1 shows an example method 100 for generating a device fingerprint of an electronic device at time of manufacture of the device. The parts of the method 100 in the right column are performed by a computing device like a server or other type of computer, and which is referred to herein as an authentication device 102. The parts of the method 100 in the left column are performed by a different computing device, such as a client workstation or other type of computer, and which is referred to herein as a manufacturing device 104. [0017] The authentication and manufacturing devices 102 and 104 may be communicatively connected over a network, such as the Internet and/or another type of network. The manufacturing device 104 is located at the factory or other location at which an electronic device is manufactured, such as assembled. The authentication device 102 may be located at different premises, such as within a server room or farm maintained by or for the manufacturer or provider of the electronic device. For example, the authentication device 102 may provide authentication services in a cloud computing manner.

[0018] The electronic device may be a computing device, such as a desktop computer, a mobile computer like a laptop or notebook computer, or a mobile computing device such as a smartphone or tablet computing device, among other types of computing devices. The electronic device may be a peripheral device, such as a printing device like a standalone printer or an all-in- one (AIO) device that includes printing and other functionality like scanning and/or copying, or another type of peripheral device, such as a standalone scanner, a display device like a monitor, and so on. The electronic device may be a different type of electronic device as well. [0019] The method 100 may be implemented as program code stored on a non-transitory computer-readable data storage medium and executable by a processor. For example, the right parts of the method 100 may be implemented as program code executable by a processor of the authentication device 102. Similarly, the left parts of the method 100 may be implemented as program code executable by a processor of the manufacturing device 104.

[0020] The manufacturing device 104 transmits attributes of components that can be used to assemble a number of electronic devices (106). The components may be the individual hardware components that are selected and assembled to manufacture different electronic devices. For example, computing and peripheral devices may include network adapters, logic boards, processors, memory, and so on. The components may thus include a number of such network adapters, logic boards, processors, storage devices, and memory that are individually selected for assembly into a particular electronic device.

[0021] The attributes of a component can include its unique identifier, such as a MAC address, a universally unique identifier (UUID), a globally unique identifier (GUID), a serial number and so on. The attributes can include the type, make, and model of the component. The attributes may include a shared secret, such as a symmetrical cryptographic key, which may be unique to the component or that is unique to the manufacturer of the electronic device or the component, and which is stored in secure memory or a secure module of the component, like a trusted platform module (TPM). The attributes may include a public key of an asymmetrical cryptographic key pair that is unique to the component or the manufacturer, and for which a corresponding private key is stored in a secure memory or module of the component. The attributes can include other types of attributes as well. [0022] The authentication device 102 receives the attributes of the components (108), and stores them in an authorized component database (110). The authorized component database maintains components that are authorized for inclusion in electronic devices, such as the devices that are being manufactured at the factory at which the manufacturing device 104 is located, as well as for replacement of components to use in already manufactured devices that are undergoing service, maintenance, or repair. For each component, the authorized component database thus stores the attributes of the component. [0023] The manufacturing device 104 constructs a device fingerprint of an electronic device that is undergoing manufacture or that has been manufactured (112). The device fingerprint is unique to the electronic device. The device fingerprint encodes the attributes of the authorized components (e.g., the components for which attributes were transmitted in part 106) of the electronic device. The device fingerprint may be encrypted by a shared secret or a private key of a particular component of the electronic device, which can mitigate spoofing of the device fingerprint.

[0024] The component attributes can be encoded within the device fingerprint in a number of different ways. For example, the component attributes may be concatenated together, or formatted according to a markup language schema. The resulting amalgamation of the attributes may be subjected to a specific two-way hash function. The hash function is reversible, so that the attributes can be recovered from the generated device fingerprint. [0025] The manufacturing device 104 transmits the device fingerprint of the electronic device to the authentication device 102 (114), which receives the fingerprint (116). The authentication device 102 in turn stores the device fingerprint within an authorized device database (118). The authorized device database stores the device fingerprints of electronic devices that are authorized to perform actions. Therefore, when an electronic device later requests permission to perform an action, the authentication device 102 can authenticate the device before providing permission for the electronic device to perform the action. The authorized device database can be a different database than the authorized component database.

[0026] The authentication device 102 may verify that the received device fingerprint is unique within the authorized device database prior to storing the fingerprint in the database. If the device fingerprint is not unique, then the authentication device 102 may inform the manufacturing device 104 that the manufactured electronic device should not be released to a customer or to a reseller or warehouse. Investigation may then occur as to why the fingerprint is not unique.

[0027] Parts 106, 108, and 110 are repeated each time new components for inclusion in electronic devices become available. Parts 112, 114, 116, and 118 are performed for each electronic device that is manufactured. Parts 112,

114, 116, and 118 are performed as individual electronic devices are manufactured; or in batch mode, such as at every batch of electronic devices that are manufactured; or periodically, such as at the conclusion of every day or periodically throughout the day; and so on.

[0028] FIG. 2 shows an example method 200 for authentication an electronic device using its device fingerprint. The parts of the method 200 in the right column are performed by the authentication device 102. The parts of the method 200 in the left column are performed by an electronic device 202 that may have been manufactured per FIG. 1. The authentication device 102 and the electronic device 202 are communicatively connected, such as over a network. The electronic device 202 may be located at the premises of an end user, such as at the offices or other building of a company or other organization or entity, and which may be different than that at which the authentication device 102 is located.

[0029] The method 200 may be implemented as a program code stored on a non-transitory computer-readable data storage medium and executable by a processor. As such, the right and left parts of the method 200 may be implemented as program code executed by processors of the authentication and electronic devices 102 and 202, respectively. The processor of the electronic device 202 may, for instance, be part of a secure module, such as a TPM, which is itself a component of the device 202. [0030] The electronic device 202 interrogates its components to acquire the attributes from which the device fingerprint of the device 202 is to be constructed (203). In performing this interrogation, the electronic device 202 may in one implementation generate a cryptographic interrogation log. The cryptographic log can be an encrypted or digitally signed log of the communication that the electronic device 202 performed with each component to acquire the attributes of that component. The log is cryptographic in that the log of the communication is recorded through secure cryptographic techniques, including signing and/or encryption. Security hardware within the electronic device 202, such as a TPM, may apply the cryptography, and thus attesting to the content within the log.

[0031] The electronic device 202 constructs the device fingerprint (204). The device fingerprint encodes the acquired component attributes, in the same manner in which component attributes were encoded within a device fingerprint in part 112 of FIG. 1. The constructed device fingerprint can further include the cryptographic log of the component interrogation in one implementation. The encoding of the component attributes is severable from the cryptographic log within device fingerprint. [0032] The electronic device 202 may encrypt the device fingerprint with a timestamp of the current system time (e.g., the time of construction of the device fingerprint) (206). For example, the electronic device 202 may encrypt the device fingerprint using a shared secret, like a symmetrical cryptographic key, known to the authentication device 102 or previously stored by the authentication device 102 within the authorized device database. In encrypting the device fingerprint in this or another manner, the timestamp may intrinsically be imbued to the fingerprint per the particular encryption technique that is employed. Encryption can include digital signature as well in one implementation. [0033] In part 206, the electronic device 202 may encrypt the device fingerprint with other information as well. For example, geolocation information, other spatial or location information, and other types of environmental information regarding the environment of the electronic device 202 at time of construction of the device finger may be added. Such additional information provides for additional bases on which authentication can be performed. Furthermore, the timestamp may include other information in addition to or in lieu of the actual current system time, but which also are indicative of the time at which the device fingerprint was constructed. Such additional information may include a sequence number or other identifier that changes each time a fingerprint is generated.

[0034] The electronic device 202 can send the device fingerprint as part of an authorization request for the device 202 to perform an action (208). The device fingerprint may be generated each time the electronic device 202 is to perform an action for which there has to be prior authorization from the authentication device 102. The authentication device 102 receives the request, including the device fingerprint, from the electronic device 202 (210).

[0035] The authentication device 102 can perform a number of different types of authentication of the electronic device 202 using the received device fingerprint. In one implementation, the authentication device 102 may authenticate the electronic device 202 based on the device fingerprint as encrypted with a timestamp (212), an example technique for which is described in later in the detailed description. In one implementation, the authentication device 102 may authenticate the electronic device 202 based on the cryptographic log included with device fingerprint (214), an example technique for which is also described later in the detailed description.

[0036] The authentication device 102 can authenticate the electronic device 202 based on the device fingerprint integrally (216). That is, the authentication device 102 can determine whether the device fingerprint as a whole is identically associated with an authorized electronic device. An example technique for such authentication is described later in the detailed description. [0037] The authentication device 102 may, if the electronic device 202 failed authentication on the basis of the device fingerprint integrally, authenticate the device based on the component attributes within the device fingerprint (218). That is, if the device fingerprint is not stored within the authorized device database, the authentication device 102 may determine whether the device fingerprint is sufficiently similar to a device fingerprint that is stored within the database. An example technique for such authentication is described later in the detailed description.

[0038] The authentication device 102 may in one implementation authenticate the electronic device 202 based on the components of the device 202 having the attributes encoded within the received device fingerprint (220). That is, the authentication device 102 may determine whether each such component is itself authorized, using the authorized component database. An example technique for such authentication is described later in the detailed description. [0039] The result of electronic device authentication of parts 212, 214,216, 218, and 220 may be successful or unsuccessful. The authentication of the electronic device 202 may be unsuccessful if the authentication of part 212, 214, or 220 is unsuccessful. In one implementation, if authentication of part 212, 214, 216, or 220 fails, then any other authentication that has not yet been performed is not performed, since authentication of the electronic device 202 in this case will have already been deemed unsuccessful.

[0040] The authentication of the electronic device 202 may be unsuccessful if the authentication of both parts 216 and 218 is unsuccessful. In one implementation, if authentication of both parts 216 and 218 is unsuccessful, then any other authentication that has not yet been performed is not performed, since authentication of the electronic device 202 in this case will have already been deemed unsuccessful. The authentication of the electronic device 202 may be successful if the authentication of every part 212, 214, and 220 is successful, and the authentication of part 216 or 218 is successful. In one implementation, if the authentication of part 216 is successful, then the authentication of part 218 is not performed.

[0041] If authentication of the electronic device 202 is successful, then the authentication device 102 can send a reply authorizing performance of the requested action (222). The electronic device 202 receives this reply (224) and accordingly performs the action (226). If authentication of the electronic device 202 is unsuccessful, then the authentication device 102 can instead send a reply prohibiting performance of the requested action (228). The electronic device 202 similarly receives this reply (230) and accordingly does not perform the action (232). As one example, to perform the action, the electronic device 202 may need certain information from the authentication device 102. Therefore, by the authentication device 102 withholding this information from the electronic device 202, the electronic device 202 cannot perform the action.

[0042] FIG. 3 shows an example method 300 for authenticating the electronic device 202 based on its device fingerprint as encrypted with a timestamp. The authentication device 102 can perform the method 300 to realize part 212 of FIG. 2. The authentication device 102 may determine whether the received device fingerprint, as encrypted with the timestamp, was previously received (302). The device fingerprint, which may include the cryptographic log, is unique at the time of encryption, due wholly or in part because it has been encrypted with the timestamp. If the authentication device 102 previously received this same version of the device fingerprint, then this may mean that it has been maliciously captured and is being presented by a different device in an attempt to spoof the electronic device 202. Therefore, if the device fingerprint as encrypted with the timestamp was previously received, the authentication device 102 does not successfully authenticate the electronic device 202 (306).

[0043] If the authentication device 102 has not previously received the device fingerprint as encrypted with the timestamp, the device 102 may further determine whether the timestamp has recency (308), in accordance with a criteria, before successfully authenticating the electronic device 202. Recency means that the timestamp specifies a time that is recent relative to the current time, and whether the time is recent relative to the current time is defined by the criteria. For example, the criteria may specify that the device fingerprint was generated no more than a certain length of time, as measured in seconds, minutes, or hours, before the current time, where the timestamp denotes the time when the electronic device 202 generated the fingerprint. If the timestamp does not have recency (310), then the authentication device 102 does not successfully authenticate the electronic device 202 (306). The authentication device 102 successfully authenticates the electronic device 202 if the authentication device 102 has not previously received the device fingerprint as encrypted with the timestamp, and the timestamp has recency (312).

[0044] FIG. 4 shows an example method 400 for authenticating the electronic device 202 based on the cryptographic log of the device 202’s interrogation with its components to acquire the attributes encoded within the device fingerprint. The authentication device 102 can perform the method 400 to realize part 214 of FIG 2. The authentication device 102 may determine whether the device fingerprint includes a cryptographic log (402). If the device fingerprint does not include a cryptographic log, then this may mean that the authorized device database has been compromised, and a malicious party has acquired device fingerprints of authorized devices. However, the device fingerprints in the database do not include cryptographic logs. Therefore, if the device fingerprint received from the electronic device 202 does not include a cryptographic log, the authentication device 102 does not successfully authenticate the electronic device 202 (406). [0045] If the received device fingerprint does include a cryptographic log, the authentication device 102 may further determine whether the cryptographic log has legitimacy (408), in accordance with a criteria, before successfully authenticating the electronic device 202. Legitimacy means that the cryptographic log correctly lists the communication between the authentication device 102 and its components that has to occur for the device 102 to have acquired the attributes encoded within the device fingerprint. The criteria specifies which communication should be present in the cryptographic log in this respect. If the cryptographic log does not have legitimacy (410), then the authentication device 102 does not successfully authenticate the electronic device (406). The authentication device 102 successfully authenticates the electronic device 202 if the received device fingerprint includes a cryptographic log and the log has legitimacy (412).

[0046] FIG. 5 shows an example method 500 for authenticating the electronic device 202 based on its device fingerprint integrally. The authentication device 102 can perform the method 500 to realize part 216 of FIG. 2. Authentication in an integral manner means verifying that the received device fingerprint, after decryption and apart from the cryptographic log, is present within the authorized device database. Therefore, the authentication device 102 determines if the received device fingerprint matches any authorize device in the database (502). If it does - i.e., if the decrypted device fingerprint not including the cryptographic log matches a device fingerprint stored in the authorized device database (504) - then the authentication device 102 successfully authenticates the electronic device 202 (508). Otherwise, the authentication device 102 unsuccessfully authenticates the electronic device 202 (506).

[0047] FIG. 6 shows an example method 600 for authenticating the electronic device 202 based on the component attributes encoded within its device fingerprint. The authentication device 102 can perform the method 600 to realize part 218 of FIG. 2. Authentication in this respect means, if the device fingerprint does not match any device fingerprint stored in the authorized device database, whether the component attributes encoded in the device fingerprint nevertheless sufficiently match the component attributes of a device fingerprint that is stored in the database. For example, one or some but not all components of the electronic device 202 may have been replaced.

[0048] A criteria can specify whether the component attributes encoded within the device fingerprint sufficiently match the component attributes of a device fingerprint stored in the authorized device database. The criteria may specify the minimum threshold of component attributes that have to match to establish sufficiency, by number or by percentage of the total number of components encoded in each device fingerprint within the database. The criteria may instead or additionally specify critical component attributes that have to match for there to be sufficiency. For instance, certain components like the primary logic board that stores the secure module that constructs the device fingerprint may be deemed critical, and if the attributes of these components do not match the component attributes encoded within a device fingerprint in the database, then sufficiency will not be established.

[0049] Therefore, the authentication device 102 determines whether the component attributes encoded within the received fingerprint sufficiently match component attributes of any authorized device in the authorized device database (602), in accordance with a criteria. If the encoded attributes of the received device fingerprint match the encoded attributes of the device fingerprint of any authorized device in the database (604), then the authentication device 102 successfully authenticates the electronic device 202 (608). Otherwise, the authentication device 102 unsuccessfully authenticates the electronic device 202 (606).

[0050] FIG. 7 shows an example method 700 for authenticating the electronic device 202 based on the components having attributes encoded within the device fingerprint of the device 102. Authentication in this manner means verifying that each component identified by attributes encoded within the received device fingerprint is present within the authorized component database. If a component installed within the electronic device 202 is not present in the authorized component database, then this can mean that the component is unauthorized. [0051] Therefore, for each component identified by attributes encoded within the received device fingerprint, the authentication device 102 determines whether the component is in the authorized component database (704). If a component is present in the database (706), then authentication of the component is successful (710), and otherwise authentication of the component is unsuccessful (708). If any component of the electronic device 202 is unsuccessfully authenticated, then the authentication device 102 unsuccessfully authenticates the electronic device 202 (712). By comparison, if every component is successfully authenticated, then the authentication device 102 successfully authenticates the electronic device 202 (714).

[0052] FIG. 8 shows an example method 800 for updating a device fingerprint of the electronic device 202 at time of replacement of a component within the device 202. The parts of the method 800 in the right column are performed by the authentication device 102, and the parts of the method 800 in the left column are performed by the electronic device 202. The parts of the method 800 in the center column are performed by a different computing device, such as a server or client workstation or other type of computer, and which is referred to as a service device 802 herein. [0053] The service device 802 and the authentication device 102 are communicatively connected over a network. The electronic device 202 and the service device 802 may similarly be communicatively connected, over this same network or a different network. At the time the method 800 is performed, the electronic device 202 may be located at an authorized service center or at the premises of an end user. The service device 802 may be located at the authorized service center, such as within a server room or farm maintained by or for the service center, and/or may be located at the same premises as the authentication device 102. The service device 802 may be a repair tool that is in proximity to the electronic device 202, in another implementation.

[0054] The method 800 may be implemented as program code stored on a non-transitory computer-readable data storage medium and executable by a processor. For example, the right parts of the method 800 may be implemented as program code executable by a processor of the authentication device 102, and the left parts of the method 800 may be implemented as program code executable by a processor of the electronic device 202. The middle parts of the method 800 may be implemented as program code executable by a processor of the service device 802.

[0055] The method 800 is performed when an existing component of the electronic device 202 has been replaced with a new component. The method 800 is described in relation to the replacement of one such component, but is applicable to the scenario in which multiple components of the electronic device 202 are replaced. The electronic device 202 interrogates its components, including the new component, to acquire the attributes (804) on which basis the device 202 then constructs a device fingerprint (806), which is an updated device fingerprint in that the attributes of the new component are encoded as opposed to the attributes of the existing component that was replaced. Part 804 may be performed per part 203 of FIG. 2. Part 806 may be performed per part 204 of FIG. 2, although the cryptographic interrogation log may not be included. In the example of FIG. 8, the updated device fingerprint is not encrypted with a timestamp, but may be per part 206 of FIG. 2. [0056] The electronic device 202 sends the updated device fingerprint to the service device 802 (808), which upon receipt (810) can send a request for authorization to replace the existing component with the new component (812). The replacement authorization request includes the updated device fingerprint. The authentication device 102 receives the authorization request (814), and first authenticates the electronic device 202 based on the component attributes encoded within the updated device fingerprint (816), per part 218 of FIG. 2. The authentication device 102 may not perform authentication based on the updated device fingerprint integrally, because it is assumed that the updated device fingerprint does not identically appear in the authorized device database since the fingerprint is received as part of a replacement authorization request. In the example of FIG. 8, the authentication device 102 thus does not perform authentication per part 216 of FIG. 2, nor authentication per part 212, 214, and/or 220 of FIG. 2, but in one implementation can perform such authentication. [0057] The authentication device 102 identifies the new component of the electronic device 202 (818). The new component is the component having attributes encoded in the updated device fingerprint that are not encoded in any device fingerprint stored in the authorized device database. Stated another way, the authentication device 102 will have successfully authenticated the electronic device 202 in part 816 by sufficiently matching the component attributes encoded in the updated device fingerprint against the component attributes encoded in the device fingerprint of an authorized device in the database. The new component is the component having the attributes that did not match the attributes encoded in the device fingerprint of this authorized device in the database.

[0058] The authentication device 102 then authenticates the electronic device 202 based on the identified new component (820), such as by performing part 702 of FIG. 7 but for just the new component. That is, the authentication device 102 authenticates the new component against the authorized component database. If authentication of the electronic device 202 is successful (viz., in both parts 816 and 820), then the authentication device 102 replaces the existing device fingerprint of the electronic device 202 in the authorized device database with the updated device fingerprint (822). The existing device fingerprint is the device fingerprint of the authorized device in the database that the electronic device 202 has been successfully authenticated as in part 816.

[0059] If authentication of the electronic device 202 is successful, then the authentication device 102 can also send a reply to the service device 802 authorizing replacement of the existing component with the new component (824). Upon receiving the reply (826), the service device 802 can in turn notify the electronic device 202 that the updated device fingerprint has been authorized (828). Upon the electronic device 202 receiving the notification (830), the device 202 can configure itself as ready for use (832). That is, the electronic device 202 can configure itself so that responsive to receiving a request to perform an action, the device 202 initiates performance of FIG. 2. The electronic device 202 may be returned or turned back over to the end user. [0060] By comparison, if authentication of the electronic device 202 is unsuccessful, then the authentication device 102 may send a reply to the service device 802 prohibiting replacement of the existing component with the new component (834). Upon receiving the reply (836), the service device 802 can in turn notify the electronic device 202 that the updated device fingerprint has not been authorized (838). Upon the electronic device 202 receiving the notification (840), the device 102 may configure itself as not ready for use (842). In another case, the electronic device 202 may be configured as not ready for use at the time the device 102 detects installation of a new component and initiates performance of the method 800, such that in part 842 the device 102 may just not configure itself as ready for use as it did in part 832. The technician, service personnel, or other user (e.g., the end user) that installed the new component in the electronic device 202 may troubleshoot why this installation was not authorized, and may switch out the component for a different replacement component and again initiate performance of the method 800.

[0061] FIG. 9 shows an example non-transitory computer-readable data storage medium 900 storing program code 902 executable by an authentication device to perform processing. The processing includes receiving, from an electronic device, a device fingerprint encoding attributes of components of the electronic device (904). The processing includes authenticating the electronic device based on the device fingerprint integrally (906). The processing includes, responsive to unsuccessfully authenticating the electronic device based on the device fingerprint integrally, authenticating the electronic device based on the attributes of the components of the electronic device encoded within the device fingerprint (908).

[0062] FIG. 10 shows an example method 1000. The method 1000 includes receiving, by an authentication device from a service device, an updated device fingerprint encoding attributes of components of an electronic device, including a new component that replaced an existing component of the electronic device (1002). The method 1000 includes authenticating, by the authentication device, the electronic device based on the attributes of the components of the electronic device encoded within the updated device fingerprint (1004). The method 1000 includes, responsive to successfully authenticating the electronic device, replacing, by the authentication device, an existing device fingerprint of the electronic device with the updated device fingerprint within an authorized device database (1006).

[0063] FIG. 11 shows an example electronic device 1100. The device 1100 includes a network adapter 1102, which can be or includes hardware, to communicatively connect with an authentication device, such as over a network. The device 1100 includes components 1104 having attributes. The device 1100 includes a processor 1106, as well as a memory 1108 storing program code 1110. The program code 1110 is executable by the processor 1106 to interrogate the components 1104 to acquire the attributes of the components 1104 (1112), and construct a device fingerprint encoding the attributes of the components 1104 (1114). The program code 1110 is executable by the processor 1106 to send the device fingerprint to the authentication device to authenticate the device 1100 based on the device fingerprint integrally and based on the attributes of the components 1104 encoded within the device fingerprint (1116).

[0064] Techniques have been described herein for device authentication based on a device fingerprint encoding component attributes of the device. An electronic device can be authenticated based on its device fingerprint in a number of different ways. Even if a small number of less or non-critical components of the device are replaced, the electronic device can still be authenticated based on its updated device fingerprint.