[thelist] restricting an account to one device
ken at adOpenStatic.com
Sun Jan 12 01:01:53 UTC 2020
These days it is unlikely to be Flash.
I'm not a UX dev, but my understanding is that the four most common attributes will be:
a) cookie, if stored
b) font-list enumeration (which could be hashed to create an identifier)
c) HTML 5 canvas data hashed to create an identifier
d) IP address
Plus mobile devices have their own IDs that are accessible by apps to enable device binding.
Store (a) - (d) server side and input into a risk engine. Modern risk engines can be far more sophisticated than just handling authentication. Most will also do individual transaction authorization as well e.g. if the characteristics or value/risk of something you're trying to do is either unusual, or high, then you'll be prompted for additional step-up authentication.
From: thelist <thelist-bounces at lists.evolt.org> On Behalf Of Bob Meetin
Sent: Saturday, 11 January 2020 8:44 AM
To: thelist at lists.evolt.org
Subject: Re: [thelist] restricting an account to one device
In this case the Flash rumor feels like rumor - or maybe an outlier. I did a little research, enough to grasp how to remove Flash local shared objects including locating a browser addon for Linux. After clearing the data, I signed back into the banking system - nothing seems to have change. It did not prompt me with the extra authentication hoops. Unless of course I am misunderstanding. Seems that you could also do it as sudo by removing the .macromedia folder under $HOME.
I cleared all cookies, objects anything I could find under the Privacy and Security settings. I'm working through some of the other items that Ken and Volkan suggested. It's all good stuff.
On 1/10/20 3:51 AM, Nadeem Hosenbokus wrote:
> Funny - I heard a "rumour" many years ago that some banks were using Flash for identifying user instances.
> I didn't pay much attention to that until now. You've checked the usual suspects (cookies and sessions) so I looked into Flash and I think that it might be a possibility... but I really, really, really hope not.
> So, it's not Flash in the traditional sense but something called Local Shared Objects. They work the same way as cookies but instead of being stored by the browser, they are stored by Flash.
> But I'm finding that a little hard to digest for a couple of reasons: first, it's really old tech (10 years old) and second, it can't reliably be assumed that all users will have Flash anymore. Didn't it die when iPhones came out?
> Nonetheless, I mention it because it ticks the boxes despite being
> improbable. Adobe have some instructions to clear LSOs:
> Another possibility that I am equally dubious about is the use of Local Storage. These work like cookies but can only be cleared if no other instance is using it, you've selected clear all cookies AND you've set the time limit to clear all from "the beginning of time".
> Nadeem Hosenbokus
> (230) 5766 9169
> -----Original Message-----
> From: thelist <thelist-bounces at lists.evolt.org> On Behalf Of Bob
> Sent: 10 January 2020 07:56
> To: thelist at lists.evolt.org
> Subject: [thelist] restricting an account to one device
> Since thelist is alive, here's a question that I was thinking to post on stackoverflow but feels more like feedback material.
> I have a project, a customer with a paid membership system. The customer wants the security set up so tight that there is no possibility of simultaneous logins - he has referenced online banking systems as a model several times. Curious, I just ran some tests with my online banking thru Chase. I opened up 2 different browsers, one Firefox and the other Chrome.
> 1. I signed in with Firefox - entered username and password. It
> recognized me from home so no extra hoops.
> 2. I then signed in with Chrome - after entering the username and
> password, it prompted me for hoops as it did not recognize the
> device. I had to go through 3 hoops screens including obtaining a
> code through email (or sms) before I could log in. This worked. Okay.
> 3. Just to see I then tried signing in with my phone. I had to go
> through the same hoops as with Chrome but got signed in successfully.
> Observation? I was able to sign in with 3 different devices at the
> same time, simultaneously. The sessions timeout automatically after
> 5-10 minutes, but the bank system allows many simultaneous sessions, different devices.
> When signed in there is an option to view recent signin history, called AccountSafe. In my case it shows 3 different devices (not really devices but what they call devices). There is one for each desktop browser and another for my phone browser. They are identified as:
> Linux x86_64
> Linux x86_64
> LInux (my android phone)
> Recording OS information in itself does not seem like enough to lock down device access. I have a little function for grabbing some information like the following from visitors:
> IP address
> OS: Linus, Android, etc
> Browser: Chrome, Firefox, etc
> Device: PC, mobile
> Extended OS info: X11; Ubuntu; Linux x86_64; rv:71.0
> Next I rebooted my router to get a new IP address and deleted all cookies and session info. This did nothing to restore jumping through hoops of having to reauthenticate. The bank system still recognizes the three devices and prompts for simple username/password access.
> Q1) What is the bank doing, recording to allow only those particular devices that I have authenticated. My understanding is that MAC address is not viable.
> I am pretty sure I that I can set up a function using either sessions or cookies to detect if someone is currently signed in (maybe using browsing history, etc) and prevent a second person from signing in with the same account unless they go through authentication hoops. Not sure.
> Q2) How would you approach preventing multiple simultaneous logins?
> Preferred method?
> The goal is to prevent account sharing.
Perfectionism: The Fine Art of Procrastination
LinkedIn | https://www.linkedin.com/in/bobmeetin
* * Please support the community that supports you. * * http://evolt.org/help_support_evolt/
For unsubscribe and other options, including the Tip Harvester and archives of thelist go to: http://lists.evolt.org Workers of the Web, evolt !
More information about the thelist