Menu
On many banking and investment websites, the site prevents users from logging in from an unrecognized computer without first answering an additional question or activating that machine. How do developers typically create this feature?
For example, here is the message that Salesforce.com gives when I connect to my account from an unrecognized machine:
We're trying to do the same type of thing from one of our applications, but aren't sure about the best (and most secure) approach.
810
There are many possible approaches to do this, but typically they're using some combination of the following:
If you have too many differences from one of your existing trusted connections, the machine is considered untrusted. Where the line is drawn for "too many" is a tradeoff between security and convenience.
153
There is no truly secure approach, you could do it based on IP address, but that is often dynamic, you could do it on cookies but they're far from secure, you could do it on MAC address but you'd need to use Java (IIRC) to access that, but that again can be spoofed...
There is no real way to check if the computer they're connecting from has ever connected before. You can probably find "hacks" to sort of do it, but it's never going to be secure.
34
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
