3

Website multifactor authentication prompts will often include a "remember this computer" checkbox. How does this work?

In order to be secure, it needs to be more than just a cookie, as a cookie can be stolen and sent from any other machine. Presumably there is some kind of fingerprinting going on. I've seen there are fingerprinting libraries, so I can image a scheme where you issue a cookie that that suppresses MFA, and you encrypt the fingerprint into it. During login, the server decrypts the cookie and makes sure it matches the client's fingerprint.

However, I'm also reading that browsers are increasingly implementing anti-fingerprinting techniques. I don't get how that works. I mean, some of the Javascript APIs that are used to do the fingerprinting, such as those that provide screen size or chosen language, can't be normalized without breaking those APIs. Other fingerprinting techniques, such as rendering to a canvas to detect differences in GPUs, can't be avoided at all.

In any case, "remember this computer" is widely implemented, including from companies like Apple that are pretty aggressive about user privacy.

So how is this typically done? I'm trying to implement MFA, and I'd like to offer this to make users life easier, but only if it can be done securely.

Improve this question
6
  • The searching I did gives a few ideas. Commented May 3, 2024 at 15:47
  • 3
    "Remember this computer" is nearly always just cookies. At most possibly the cookie encodes the IP address used to connect. You can quite often test for yourself that it moves with the cookie. Commented May 3, 2024 at 15:55
  • This seems like a good question to me. I'll encourage those receiving this negatively to provide feedback. Commented May 3, 2024 at 16:24
  • At its core, this question appears to be about how something is implemented. I'm struggling to find an answer that wouldn't be related to explaining code, which is off-topic in this community. Commented May 3, 2024 at 18:20
  • 3
    I think one clue is that, in my experience, if you are in an anonymous/incognito mode browser and you select this option, it will not remember you after you restart the browser. Commented May 3, 2024 at 20:20

2 Answers 2

Reset to default
5

In order to be secure, it needs to be more than just a cookie, as a cookie can be stolen and sent from any other machine.

Sure, but assuming a https URL, only the user will be able to do this. This is a threat at the same level as the risk of a user telling their password to someone else.

Someone with physical access to the users computer might be able to steal the cookie, but if someone have physical access to a computer then all bets are off anyway - the could install a keylogger and steal all passwords for example.

Improve this answer
4

In order to be secure

It doesn't need to be. It is an invitation to trade some security for convenience.

If the device the user is on is untrusted, then they shouldn’t be clicking it, you should tell them not to.

If the device the user is on is compromised, the attacker doesn't need to exfiltrate a cookie, they can do whatever from the compromised device.

Improve this answer
1
  • <strikethrough>won't</strikethrough>shouldn't be clicking it. Don't forget to explain this to them. Commented May 3, 2024 at 17:58

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.