Advice on Handling of single valid device session between multiple devices

0 投票
最新提问 用户: (120 分)

We have the following requirements for our mobile application:

  1. User can have up to 3 registered devices that is whitelisted to use the application
  2. However, user can only use one of the 3 devices at any one time (no concurrent usage)
  3. User needs to authenticate for the first time using user ID + PIN
  4. For the second time onwards, user can choose to authenticate using UserID/PIN or with Touch ID (on iOS)

Our application design to fulfill the requirements is as following:

  1. We use OAuth tokens to carry the user's session on any device
  2. When the user successfully authenticates himself, we will issue the device with a new OAuth token pair (access token and refresh token)
  3. If the user chooses to use the Touch ID to authenticate, the app will fetch the refresh token from secure mobile storage and sends it to the OAuth server to generate a new access token

So far, this has been working for most of our test scenarios but we have hit on the following issue:

  1. Every time the user logs in using PIN, a new OAuth token pair is generated (including the refresh token).
  2. This happens regardless of whether the user has an existing refresh token or not
  3. If the user has a single device, there is no impact and logging in using either PIN or Touch ID works without a hitch.
  4. However, if the user has multiple devices, it will mean that logging in on Device B would generate a new OAuth token pair which overrides the existing refresh token that the user may have on Device A.
  5. This means that the user can no longer use Touch ID on Device A as the device's refresh token is no longer valid.

Solutions that I can think of right now is:

  1. Share the same refresh token between multiple devices - is there any security concern with this?
  2. Associate each OAuth token pair with a device instead of user ID; on top of that each time a user is logged in and an access token is generated, we need to find a way to invalidate all other access tokens associated with that user

Would greatly appreciate any pointers that anybody can give in terms of proper practice for this requirement.

登录 或者 注册 后回答这个问题。

欢迎来到 Security Q&A ,有什么不懂的可以尽管在这里提问,你将会收到社区其他成员的回答。