request for IP address & device fingerprint for session security

[kant01ne]

Summary

The idea is to detect IP address changes, combined with device fingerprint to detect session theft.

(Edited version based on feedbacks)

• IP change detection: Revoke access token, this will force reuse the refresh token which can then be used to detect token theft. This will also prevent logouts due to false positives.

• Device fingerprint change=> Revoke access token

Questions to solve:

• What is considered as a reliable device fingerprint?
  • On web
  • On mobile
• How do we compute/encode it?
  • This would be done from the Front end, so possible for an attacker to reverse engineer, but adds an additional layer of complexity to a session theft attack.
• The above would only work if the access token has blacklisting turned on. How should we deal with the case when blacklisting is off?

[rishabhpoddar]

If the IP has changed, even within the same city, we will only revoke the access token. This will force reuse the refresh token which can then be used to detect token theft. This will also prevent logouts due to false positives.

If the device fingerprint has changed, then we will revoke the entire session.

---

Discussion

• The above would only work if the access token has blacklisting turned on. How should we deal with the case when blacklisting is off?

[kant01ne]

Blacklisting on:

• IP change: Access Token revoked
• Device Fingerprint change: Access Token revoked
  Forces to reuse the refresh token, which will detect token theft.

Blacklist off:

• IP change:
  • New country: Revoke refresh token (email?)
  • New city: Email to let user decide if the refresh token should be revoked.
• Device Fingerprint change: Revoke refresh token (email?)