On many banking and investment websites, the site prevents users from logging in from an unrecognized computer without first answering an additional question or activating that machine. How do developers typically create this feature?
For example, here is the message that Salesforce.com gives when I connect to my account from an unrecognized machine:
We're trying to do the same type of thing from one of our applications, but aren't sure about the best (and most secure) approach.
There are many possible approaches to do this, but typically they're using some combination of the following:
If you have too many differences from one of your existing trusted connections, the machine is considered untrusted. Where the line is drawn for "too many" is a tradeoff between security and convenience.
There is no truly secure approach, you could do it based on IP address, but that is often dynamic, you could do it on cookies but they're far from secure, you could do it on MAC address but you'd need to use Java (IIRC) to access that, but that again can be spoofed...
There is no real way to check if the computer they're connecting from has ever connected before. You can probably find "hacks" to sort of do it, but it's never going to be secure.
You can set up a cookie on users machine and later on check if that cookie exists and contains a proper value. If the cookie doesn't exist, then this computer is a new one, otherwise this computer has been here before.
The cookies value can be some random hash, with different attributes, for example IP address, user agent, etc...
The Electronic Frontier Foundation (EFF) has set up a demo web site showing how astoundingly easy it is to identify a browser even if cookies are disabled or you are connecting from a different IP/provider:
They use a combination of
However, the typical scenario (and probably the one used in your sample application) would be to store a cookie locally and identify the returning user via this cookie.
The most secure approach is undoubtedly to issue client certificates, and have the server check the certs on connection (make sure and use a revocation list!). This has quite a lot of administrative overhead, but works.
Most top sites use Flash cookies to track unique visitors. Flash cookies are similar to regular browser cookies yet are not cleared when a user switches browsers or clears the browser history.
Read that again: you can try to clear your history or switch browsers, or even use chrome's "incognito" mode, and Flash cookies will still remember who you are. They're tied to the Flash install rather than the browser.
Wired has an article about them here: http://www.wired.com/epicenter/2009/08/you-deleted-your-cookies-think-again/
Despite Wired's warning about flash cookies, they themselves use flash cookies to track visitors. Go figure.
Within Flash, they're called "SharedObjects." See more on how to use them here: How do I access cookies within Flash?
