We have the following requirements for our mobile application:
- User can have up to 3 registered devices that is whitelisted to use the application
- However, user can only use one of the 3 devices at any one time (no concurrent usage)
- User needs to authenticate for the first time using user ID + PIN
- For the second time onwards, user can choose to authenticate using UserID/PIN or with Touch ID (on iOS)
Our application design to fulfill the requirements is as following:
- We use OAuth tokens to carry the user's session on any device
- When the user successfully authenticates himself, we will issue the device with a new OAuth token pair (access token and refresh token)
- If the user chooses to use the Touch ID to authenticate, the app will fetch the refresh token from secure mobile storage and sends it to the OAuth server to generate a new access token
So far, this has been working for most of our test scenarios but we have hit on the following issue:
- Every time the user logs in using PIN, a new OAuth token pair is generated (including the refresh token).
- This happens regardless of whether the user has an existing refresh token or not
- If the user has a single device, there is no impact and logging in using either PIN or Touch ID works without a hitch.
- However, if the user has multiple devices, it will mean that logging in on Device B would generate a new OAuth token pair which overrides the existing refresh token that the user may have on Device A.
- This means that the user can no longer use Touch ID on Device A as the device's refresh token is no longer valid.
Solutions that I can think of right now is:
- Share the same refresh token between multiple devices - is there any security concern with this?
- Associate each OAuth token pair with a device instead of user ID; on top of that each time a user is logged in and an access token is generated, we need to find a way to invalidate all other access tokens associated with that user
Would greatly appreciate any pointers that anybody can give in terms of proper practice for this requirement.