Browser fingerprinting is a tracking technique used to distinguish individual users. By leveraging unique fingerprint features or combining multiple ones, websites can not only identify users but also monitor their online activities. A specific aspect of browser fingerprinting, known as canvas fingerprinting, generates distinct values based on the characteristics of users' devices. This unique trait of canvas browser fingerprinting can be employed in challenge-response authentication, enabling user verification without requiring additional actions and potentially replacing the need for two-factor authentication. Furthermore, canvas fingerprinting can serve as an alternative to cookies, facilitating functionalities like the “Remember me” feature. This paper introduces an implementation of man-in-the-middle attack called “CRSlash” that targets prevalent challenge-response authentication methods, with a particular focus on canvas finger-printing based challenge-response authentication. In the case of CRSlash, an attacker only needs to obtain a challenge from the targeted device once. Subsequently, they can successfully navigate the authentication process. Our investigation reveals that existing challenge-response authentication methods relying on canvas fingerprinting are vulnerable to this attack. This vulnerability persists in both one-time authentication scenarios and continuous authentication setups. The outcomes of the attack demonstrate that prior canvas authentication methods are inadequate in countering this new threat. In response to this security concern, we propose a novel approach to canvas fingerprinting-based challenge-response authentication, which we call “CanvasDict.” In the CanvasDict process, the website creates a distinct authentication dictionary using the user's browser fingerprint during the registration phase. Later, during the login phase, the website selects random challenges from this dictionary for the authentication process. Through in-dept...