[thelist] restricting an account to one device
Bob Meetin
bobm at dottedi.biz
Fri Jan 10 03:26:07 UTC 2020
Greetings,
Since thelist is alive, here's a question that I was thinking to post on
stackoverflow but feels more like feedback material.
I have a project, a customer with a paid membership system. The customer
wants the security set up so tight that there is no possibility of
simultaneous logins - he has referenced online banking systems as a
model several times. Curious, I just ran some tests with my online
banking thru Chase. I opened up 2 different browsers, one Firefox and
the other Chrome.
1. I signed in with Firefox - entered username and password. It
recognized me from home so no extra hoops.
2. I then signed in with Chrome - after entering the username and
password, it prompted me for hoops as it did not recognize the
device. I had to go through 3 hoops screens including obtaining a
code through email (or sms) before I could log in. This worked. Okay.
3. Just to see I then tried signing in with my phone. I had to go
through the same hoops as with Chrome but got signed in successfully.
Observation? I was able to sign in with 3 different devices at the same
time, simultaneously. The sessions timeout automatically after about
5-10 minutes, but the bank system allows many simultaneous sessions,
different devices.
When signed in there is an option to view recent signin history, called
AccountSafe. In my case it shows 3 different devices (not really devices
but what they call devices). There is one for each desktop browser and
another for my phone browser. They are identified as:
Linux x86_64
Linux x86_64
LInux (my android phone)
Recording OS information in itself does not seem like enough to lock
down device access. I have a little function for grabbing some
information like the following from visitors:
IP address
OS: Linus, Android, etc
Browser: Chrome, Firefox, etc
Device: PC, mobile
Extended OS info: X11; Ubuntu; Linux x86_64; rv:71.0
Next I rebooted my router to get a new IP address and deleted all
cookies and session info. This did nothing to restore jumping through
hoops of having to reauthenticate. The bank system still recognizes the
three devices and prompts for simple username/password access.
Q1) What is the bank doing, recording to allow only those particular
devices that I have authenticated. My understanding is that MAC address
is not viable.
I am pretty sure I that I can set up a function using either sessions or
cookies to detect if someone is currently signed in (maybe using
browsing history, etc) and prevent a second person from signing in with
the same account unless they go through authentication hoops. Not sure.
Q2) How would you approach preventing multiple simultaneous logins?
Preferred method?
The goal is to prevent account sharing.
---
Bob
More information about the thelist
mailing list