Concept of Trusted Devices
Last updated
Last updated
This page describes the concept of trusted devices that introduces an additional layer of authentication. The concept of trusted devices allows blocking the source of an attack without blocking legitimate users. To do so, an application issues a token that is tied to a user's account for each device from which there was a successful authentication. As a result, when authentication is blocked for a specific account during an attack, a legitimate user can still authenticate from trusted devices.
The entry point for an authentication request:
If an incoming request contains a device token:
Validate a device token, see the section.
If token validation fails, proceed to step 2.
If a device token is in a lockout list, reject authentication attempt
Authenticate a user, see the section.
If authentication from untrusted clients is locked out for the account, reject authentication attempt
Authenticate a user, see the section
Check user credentials.
If credentials are valid:
Proceed with authenticated user.
Otherwise:
Register failed authentication attempt.
Register a failed authentication attempt with at least the following information:
Account.
Time.
Device token (if present).
If a device token is presented:
Count the number of unsuccessful authentication attempts in K minutes for this specific device token.
If the number of unsuccessful attempts in K minutes is more than M, put the device token in a lockout list for N minutes.
Otherwise:
Count the number of unsuccessful authentication attempts in K minutes for this specific device token.
If the number of unsuccessful attempts in K minutes is more than M, lock out all authentication attempts to this specific account from untrusted clients for N minutes.
Issue a device token using one of the following strategies:
Set an expiration date for a device token:
Bind a device token with a specific user:
If one of the following checks fails the entire validation fails:
Validate that a device token is valid:
Validate that a device token has not expired:
Validate that a device token corresponds to an account in which the authentication is attempted:
Set expiration date ~ 6 months.
Bind a device token with a specific account.
Use a random token as a device token.
Use random tokens of length 16+ bytes.
Use a message signed with HMAC as a device token. The message must contain at least:
User ID or username.
Expiration date.
Nonce.
Generate a unique nonce for each token.
Use a JSON Web Token (JWT) as a device token. The payload must contain at least:
User ID or username.
Expiration date.
Nonce.
Generate a unique nonce for each token.
Issue a new device token to a user's client, see the section.
Reject authentication attempt
.
.
.
: add an expiration date to a database.
: add an expiration date to a message for signing.
: add an expiration date to a payload.
: connection with a user by user ID in a database.
: add a used ID to a message for signing.
: add a user ID to a payload.
: there is a record in a database with a device token value.
: the signature is valid.
: the signature is valid.
: check out a record in a database.
: check out a signed message.
: check out a payload.
: check out a record in a database.
: check out a signed message.
: check out a payload.
If a client is a browser, store a device token in the ultimate cookie, see the page.
Use a cryptographically strong generator to generate a device token, see the page.
Use cryptographically strong generators to generate a nonce, see the page.
Comply with the requirements from the page.
Use cryptographically strong generators to generate a nonce, see the page.
Comply with the requirements from the page.
