Architecture to lock account to mobile device
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianPregunta
I'm currently creating a mobile app and have the following issue. I am required to only allow the user to login from a device that is registered to the users account. A user can have up to X number of devices registered at any one time.
So when the user registers and they first sign-in. I would need to register the device. Then on each request to the backend webapi, the webapi would need to verify the request came from the registered device.
How would you identify the device? Would you generate some kind of secret locally on the device and share it with the webapi?
Any ideas on how to architect this?
I'm planning to use dotnet core with identity framework for the backend and either xamarin or flutter for the front.
Solución
Is there a unique android ID question gives a good overview of the options to get a unique id for android. Best practices for Unique Identifiers recommends using instanceID for most use cases. See IdentifierForVendor for iOS products. Once you have an ID, hash it and send the hash to the webapi over a secure connection. This does not protect against rooted devices.
To handle rooted devices would require a hardware backed keystore where you generate a private/public keypair where the private key is stored in a separate chip that cannot be read, even by the OS. Here the webapi should generate some random data, send it to the device where it is encrypted by the private key and send it back. Use public key for decryption and check that the data is the same.
