What's the most reliable way to detect if the user is logging in from a different device than usual?

Question

I suspect we're all familiar with how facebook and google and the like detect if you're using a different device than usual, I was wondering what the most reliable way to do this is?

I'm talking about the old 'It looks like you're signing in from a different device', and then when you confirm etc, it usually sends you an email and asks whether you want to trust this device or not.

Obviously one could just set a cookie, one that maybe get's checked and logged each visit, but what about when the user signs out? Do we keep the cookie?

Is there any other reliable method to 'trust' a 'device' other than setting cookies? Or is this the best/most reliable way to do it?

Answer 1

The most reliable way to detect a device change is to create a fingerprint of the browser/device the browser is running on. This is a complex topic to get 100% right, and there are commercial offerings that are pretty darn good but not flawless. I worked at one of those companies several years ago.

There is now at least one open source fingerprinting project Client JS. I have not used it, but it seems to cover the bases.

Just setting a cookie is not very reliable because on average users clear cookies about every 30-45 days unless you use a network that attempts to re-set the cookie (paid services). Even those are not flawless.

Just using the IP address is useless. Some devices legitimately have many IPs in a short period of time (laptop at home, work and Starbucks or most any mobile device), while sometimes a single IP is shared by a large number of users (all the folks at Starbucks or behind a corporate proxy server).

UPDATE

Thoughts on your similar hash code.

It is a complex topic to get right. I had a small team for a few years. We got pretty darn good, but you can never be 100% accurate even when people are not intentionally trying to trick you.

• If the CPU changes, it's probably a different device.
• The same physical device can have many user agents. Each browser on the device has a different user agent, and privacy mode of browsers have different user agents with far less entropy.
• Fonts doesn't change very quickly for a given physical device, though it's not a great source of entropy on mobile devices (few fonts installed, and typically all the same ones for a given type of device).
• OS is generally stable, until it suddenly changes. Does it matter in your case if every device appears to be a new device when it updates to Windows 10?
• Color depth will be pretty stable. If the user installs a new graphic card, this may change. Does that matter in your case?

If you can accept thinking some devices are new when in fact they are the same and vice-versa, this type of similarity hash may work for you. Note that you can never use this type of fingerprint to uniquely identify a device for a purpose that requires positive identification such as access to secure data. It's great for making probabilistic decisions such as serving an appropriate ad.