👨‍💻
Application Security Handbook
  • Application Security Handbook
  • Web Application
    • Authentication
      • Authentication with Login and Password
      • Authentication with Phone Number
      • OAuth 2.0 Authentication
      • Multi-factor Authentication
      • Default Passwords
      • Password Change
      • Password Policy
      • Password Reset
      • Password Storage
      • One Time Password (OTP)
      • Email Address Confirmation
    • Authorization
    • Concept of Trusted Devices
    • Content Security Policy (CSP)
    • Cookie Security
    • Cryptography
      • Cryptographic Keys Management
      • Encryption
      • Hash-based Message Authentication Code (HMAC)
      • Hashing
      • Random Generators
      • Universal Unique Identifier (UUID)
    • Error and Exception Handling
    • File Upload
    • Input Validation
    • JSON Web Token (JWT)
    • Logging and Monitoring
    • Output Encoding
    • Regular Expressions
    • Sensitive Data Management
    • Session Management
    • Transport Layer Protection
    • Vulnerability Mitigation
      • Brute-force
      • Command Injection
      • Cross-Site Request Forgery (CSRF)
      • Cross-Site Scripting (XSS)
      • Mass Parameter Assignment
      • Parameter Pollution
      • Path Traversal
      • Regular Expression Denial of Service (ReDoS)
      • SQL Injection (SQLi)
      • XML External Entity (XXE) Injection
Powered by GitBook
On this page
  • Overview
  • Algorithm description
  • General
  • Random token
  • HMAC-based token
  • JSON Web Token (JWT)
  • References
  1. Web Application

Concept of Trusted Devices

PreviousAuthorizationNextContent Security Policy (CSP)

Last updated 1 year ago

Overview

This page describes the concept of trusted devices that introduces an additional layer of authentication. The concept of trusted devices allows blocking the source of an attack without blocking legitimate users. To do so, an application issues a token that is tied to a user's account for each device from which there was a successful authentication. As a result, when authentication is blocked for a specific account during an attack, a legitimate user can still authenticate from trusted devices.

Algorithm description

Legend

- End of the algorithm.

The entry point for an authentication request:

  1. If an incoming request contains a device token:

    1. Validate a device token, see the section.

    2. If token validation fails, proceed to step 2.

    3. If a device token is in a lockout list, reject authentication attempt

    4. Authenticate a user, see the section.

  2. If authentication from untrusted clients is locked out for the account, reject authentication attempt

  3. Authenticate a user, see the section

User authentication

  1. Check user credentials.

  2. If credentials are valid:

    1. Proceed with authenticated user.

  3. Otherwise:

    1. Register failed authentication attempt.

Register failed authentication attempt

  1. Register a failed authentication attempt with at least the following information:

    1. Account.

    2. Time.

    3. Device token (if present).

  2. If a device token is presented:

    1. Count the number of unsuccessful authentication attempts in K minutes for this specific device token.

    2. If the number of unsuccessful attempts in K minutes is more than M, put the device token in a lockout list for N minutes.

  3. Otherwise:

    1. Count the number of unsuccessful authentication attempts in K minutes for this specific device token.

    2. If the number of unsuccessful attempts in K minutes is more than M, lock out all authentication attempts to this specific account from untrusted clients for N minutes.

Issue new device token

  1. Issue a device token using one of the following strategies:

  2. Set an expiration date for a device token:

  3. Bind a device token with a specific user:

Device token validation

If one of the following checks fails the entire validation fails:

  1. Validate that a device token is valid:

  2. Validate that a device token has not expired:

  3. Validate that a device token corresponds to an account in which the authentication is attempted:

General

  • Set expiration date ~ 6 months.

  • Bind a device token with a specific account.

Random token

  • Use a random token as a device token.

  • Use random tokens of length 16+ bytes.

HMAC-based token

  • Use a message signed with HMAC as a device token. The message must contain at least:

    • User ID or username.

    • Expiration date.

    • Nonce.

Example
BASE64(USER_ID + EXPIRATION_DATE + NONCE + HMAC(USER_ID + EXPIRATION_DATE + NONCE, SECRET_KEY))
  • Generate a unique nonce for each token.

JSON Web Token (JWT)

  • Use a JSON Web Token (JWT) as a device token. The payload must contain at least:

    • User ID or username.

    • Expiration date.

    • Nonce.

  • Generate a unique nonce for each token.

Example
{
  "alg": "HS256",
  "typ": "JWT"
}
{
  "userid": 31337,
  "nonce": "GiOzXAwlZ17NsW4CkVV8MQXtiQN9cWiY",
  "exp": 1516239022
}

References

Issue a new device token to a user's client, see the section.

Reject authentication attempt

.

.

.

: add an expiration date to a database.

: add an expiration date to a message for signing.

: add an expiration date to a payload.

: connection with a user by user ID in a database.

: add a used ID to a message for signing.

: add a user ID to a payload.

: there is a record in a database with a device token value.

: the signature is valid.

: the signature is valid.

: check out a record in a database.

: check out a signed message.

: check out a payload.

: check out a record in a database.

: check out a signed message.

: check out a payload.

If a client is a browser, store a device token in the ultimate cookie, see the page.

Use a cryptographically strong generator to generate a device token, see the page.

Use cryptographically strong generators to generate a nonce, see the page.

Comply with the requirements from the page.

Use cryptographically strong generators to generate a nonce, see the page.

Comply with the requirements from the page.

Cookie Security
Cryptography: Random Generators
Cryptography: Random Generators
Cryptography: Hash-based Message Authentication Code (HMAC)
Cryptography: Random Generators
JSON Web Token (JWT)
OWASP: Slow Down Online Guessing Attacks with Device Cookies
Issue new device token
Generate a random token and save it in a database
Use an HMAC-based token
Use a JWT
Random token
HMAC-based token
JWT
Random token
HMAC-based token
JWT
Random token
HMAC-based token
JWT
Random token
HMAC-based token
JWT
Random token
HMAC-based token
JWT
Device token validation
User authentication
User authentication