I have a requirement where an email (or SMS) verification to be obtained whenever a registered user logs into a site using a new device/browser, similar to what Salesforce is doing.
Goal is to reduce the chance of user account being misused by someone, but at the same time it should not become an nuisance to the users.
What are the reliable mechanisms to detect if a request is coming from a new device?
One way would be to use the IPAddress, but that would cause issues when someone's internet connection gets a dynamic IP, and with mobile devices which will get new IPs as they move to new places. Has the advantage of all browsers on that device (FF/Chrome/IE) are authorized with single confirmation.
Other way is to use a persistent cookie (without sliding expiration), downside is confirmation will have to be repeated for different browsers. (Not a huge issue though, as it's unlikely scenario).
Third option is some kind of hybrid solution of the above two.
My question is, are there accepted mechanisms to do this? What are the reliable ways to detect if someone is using a new device to connect to the site (doesn't have to be bullet-proof though)? Any other advice?
Aucun commentaire:
Enregistrer un commentaire