How to restrict one user account to only two devices - node.js

These days I am working on a web SAAS product in which I want that user who will subscribe to my service can use their account from only two devices. So how can I restrict the user account to two devices only?
Can I use MAC address for it? Like if I ask for two MAC addresses at the time of registration and check the current MAC address at the time of login or is there any more secure way of it?
If I will ask for my users MAC addresses then will it be secure for their privacy?
I’m using nodeJS for backend and angular for frontend.

You should do it based on currently active sessions for a user. so that even if user login from two different browsers from same device, after that he couldn't login from third browser. But if you want it to be device based, first you should take acceptance from user to pickup information like their MAC address to avoid infringement of privacy. plus this is totally backend driven.

Related

How to detect a returning user to Google Assistant on Android in Dialogflow fulfillments?

I have a running website, where users already have accounts. And I am trying to create a Google Assistant agent, accessible on Android, to help users access their information.
My issue is that I can't detect returning users on Android Smartphones, each time they have to sign in.
I tried Anonymous User Identity, but it is soon to be deprecated.
Is there an other way to keep track of users?Using some kind of userId that I can store, so I can make "my own Acount Linking" linking the person/Smartphone with already existing user accounts.
There are a few angles to your question.
Is there any way to keep track of users?
Yes... but...
You can store a userId that you generate in the user storage area. You do need to treat this like you would a cookie, so some jurisdictions might impose restrictions on this, but this is one approach to moving from the anonymous ID that is being turned off soon.
But...
How do I let them log into my service through the Action?
That is the problem. The General Policies states the following limitation for collecting user data:
Authentication Data
(including passwords, PINs, and answers to security questions)
Don't collect authentication data via the conversational interface (text or speech).
After a user's account has been linked, PINs or passwords may be used as part of a second verification process.
So you need to use Account Linking to connect to the existing account on your service.
How can I do Account Linking if I don't require Google Sign-In?
You can still use Google Sign-In for Assistant if it will (or may) provide the information as part of the profile that match what you have. So it doesn't need to use the same account - just have the same email (for example).
But that still may not be enough.
For other cases, you can look into setting things up to work with an OAuth server that you control.
So why use Google Sign-In if I setup an OAuth server that uses Google Sign-In?
Google Sign-In is good for a more streamlined flow, if you can use it. It can be done completely with voice, such as with a smart speaker, instead of requiring the user to go to a phone to complete the login. So if you have the user's email address in your account system, and you also get this from Google Sign In, then you can connect the two accounts.
In some cases, such as if the user is expected to have logged into the account on your website first, they won't even need to do that. If both the voice client and web client use the same Google project, then authentication will take place automatically.

"Remember me" feature based on ip address

I'm new to user authentication and related digital security issues, so I would like to know if the way I'm doing things is ok. Currently the way my server "remembers" users is based solely on the IP address they have logged in from. If they check the remember me option, I store that IP in the database and from then on, every time that machine enters the website, I check if that IP is associated with one of my users. If so, I log them in.
What is good or bad on that approach?

fallback for limitting web application access to certain ip addresses

We develop a web application.
There is a user login and a user area for the customers of a certain company.
And there is an agent/office login and area for some employees of the company who manage user account handling and so on.
The office agent has to login with his username and password.
But additionally, for security reasons, we will limit the agent/office login and area for specific IP addresses (as seen in other applications).
But we would like to have a "fallback" for certain situations where, for example, a web developer of the application needs access to the office area and has not one of the special IP addresses.
Until now we had not many ideas.
We thought of providing access when there is a very special user-agent string with a hash value.
Has anybody implemented such security mechanisms and can inform me about it?
Thanks alot in advance

Login to Google Apps by clicking a link (so I can switch between accounts)

I'm using Google Apps for Business.
Currently I have two separate domains.
abc.com and xyz.com
Customer enquiries flow into each website separately. However, the staff who respond to enquiries are responsible for both websites.
For convenience,I have embedded each enquiry group inside my intranet.
I have two tabs, one for support#abc.com and another for support #xyz.com
However, only one group is viewable at a time, depending on whether my staff are logged in as staff#abc.com or staff#xyz.com
Ideally, I would like to change the current login session depending on which tab is clicked.
Basically, I want to be able to login to Google Apps without entering user/pass.
Is this possible?
Its not possible unless you save the password in the browser.
Really easy if you create two separate chrome users and log into chrome in both.
Voila.
So yes, this is not possible. I have solved the issue by creating a third domain and routing all enquiries through there. This way our staff members only need to be logged into a single account. Not what I was hoping for, but it certainly does the job.

Authentication system unique users on web application

I'm looking for information about authentication but I'm very newbie so I don't know any system.
My requeriments are: An user only can authenticate from one computer/mobile device/tablet.
I'm thinking about a monitoring system of MAC address and when the user connect using other device I can see this like an alert.
What other methods are there? Certificates?.
Repeat, I'm very newbie with this.
PD: My app has been development with framework Symfony2
So first of all MAC address is a network local address, which means that after it goes trough router/switch the MAC address changes, so you cannot relay on this. Even if you wanted to lookup interface MAC addres with your client software MAC's can be changed.
Secondly Certificates give you certain properties like nonrepudiation (you can calculate digital signatures on operations that users do and then the could not deny doing something in your application). But Public Key Infrastructure is really hard to manage! You would need your Certificate Authority to give valid certificates, You would need to monitor and update Certificate Revocation Lists to deny stolen/invalid/forged certificates from being treated as valid and authentic.
If it is not a security centric application and after you analyzed your options I would suggest simple form authentication (username/password/captcha). And write mechanizm that would periodicly (i.e. every second) send an AJAX request refreshing user status, thus you could recognize if user closed browser or has opened window. And in your authentication process you could check for other ACTIVE sessions for given username and deny login or act in some other fashion. If you need more informations about authentication I would recomend looking through security patterns

Resources