[thelist] restricting an account to one device

Volkan Özçelik volkan.ozcelik at gmail.com
Fri Jan 10 18:34:22 UTC 2020 

> To prevent multiple sign-ins, you need to maintain an active session
database on the server side.

Yup.

- User logs in; forgets to log out; closes browser.

- User logs in in another machine only to get this message
“Warning: You have an active session elsewhere; logging in here will log
you out from that session”

… or not. system simply kicks out the user from the other session.

As long as you track the number of active user sessions, and limit them to
one, and invalidate all sessions when a new one created, you should be good
to go.

There are certain streaming providers who do that
(i.e. you cannot watch the video on your tablet and on the TV at the same
time…kinda)

V.



On Fri, Jan 10, 2020 at 3:20 AM Ken Schaefer <ken at adopenstatic.com> wrote:

> To prevent multiple sign-ins, you need to maintain an active session
> database on the server side.
>
> At the very least, on every login, you check to see if there's an existing
> active session for that user, and you sign-out any other session (or
> prevent the new session). This doesn't prevent credential sharing, but it
> does prevent simultaneous logins. If you are able, check on every page
> request, rather than just login.
>
> The hoops you are going through below is a different measure. This is
> likely a risk-based authentication system, where various parameters about
> your usage patten (browser, mobile device ID, IP address) are used to gauge
> how likely you are to be who you say you are.
>
> FWIW, I work in IAM architecture at a fairly large bank. There are many
> ways to, figuratively, skin the cat. The above is the basic way of doing it.
>
> Regards
> Ken
>
> -----Original Message-----
> From: thelist <thelist-bounces at lists.evolt.org> On Behalf Of Bob Meetin
> Sent: Friday, 10 January 2020 2:26 PM
> To: thelist at lists.evolt.org
> Subject: [thelist] restricting an account to one device
>
> Greetings,
>
> Since thelist is alive, here's a question that I was thinking to post on
> stackoverflow but feels more like feedback material.
>
> I have a project, a customer with a paid membership system. The customer
> wants the security set up so tight that there is no possibility of
> simultaneous logins - he has referenced online banking systems as a model
> several times. Curious, I just ran some tests with my online banking thru
> Chase. I opened up 2 different browsers, one Firefox and the other Chrome.
>
>  1. I signed in with Firefox - entered username and password. It
>     recognized me from home so no extra hoops.
>  2. I then signed in with Chrome - after entering the username and
>     password, it prompted me for hoops as it did not recognize the
>     device. I had to go through 3 hoops screens including obtaining a
>     code through email (or sms) before I could log in. This worked. Okay.
>  3. Just to see I then tried signing in with my phone. I had to go
>     through the same hoops as with Chrome but got signed in successfully.
>
> Observation? I was able to sign in with 3 different devices at the same
> time, simultaneously. The sessions timeout automatically after about
> 5-10 minutes, but the bank system allows many simultaneous sessions,
> different devices.
>
> When signed in there is an option to view recent signin history, called
> AccountSafe. In my case it shows 3 different devices (not really devices
> but what they call devices). There is one for each desktop browser and
> another for my phone browser. They are identified as:
>
> Linux x86_64
> Linux x86_64
> LInux (my android phone)
>
> Recording OS information in itself does not seem like enough to lock down
> device access. I have a little function for grabbing some information like
> the following from visitors:
>
> IP address
> OS: Linus, Android, etc
> Browser: Chrome, Firefox, etc
> Device: PC, mobile
> Extended OS info: X11; Ubuntu; Linux x86_64; rv:71.0
>
> Next I rebooted my router to get a new IP address and deleted all cookies
> and session info. This did nothing to restore jumping through hoops of
> having to reauthenticate. The bank system still recognizes the three
> devices and prompts for simple username/password access.
>
> Q1) What is the bank doing, recording to allow only those particular
> devices that I have authenticated. My understanding is that MAC address is
> not viable.
>
> I am pretty sure I that I can set up a function using either sessions or
> cookies to detect if someone is currently signed in (maybe using browsing
> history, etc) and prevent a second person from signing in with the same
> account unless they go through authentication hoops. Not sure.
>
> Q2) How would you approach preventing multiple simultaneous logins?
> Preferred method?
>
> The goal is to prevent account sharing.
>
> ---
> Bob
>
> --
>
> * * Please support the community that supports you.  * *
> http://evolt.org/help_support_evolt/
>
> For unsubscribe and other options, including the Tip Harvester and
> archives of thelist go to: http://lists.evolt.org Workers of the Web,
> evolt !
> --
>
> * * Please support the community that supports you.  * *
> http://evolt.org/help_support_evolt/
>
> For unsubscribe and other options, including the Tip Harvester
> and archives of thelist go to: http://lists.evolt.org
> Workers of the Web, evolt !

More information about the thelist mailing list