0

I have been looking around for a while using google, and haven't been able to find an answer to this question.

I am trying to set up a site that has the user setup security questions and answers for their account upon registration (This part I can manage without issue). What I can't figure out how to do is have the site recognize the user's computer when they go to log in so they don't have to answer the questions each time they log in.

I can't do it via IP address as some providers will change the public IP of a user every so often (my provider changes my public IP every hour, it seems).

Is there a way to do it via MAC Address or some unique identifier for their specific machine or device. That way if "Joe" creates an account, but his roommate "Bob" tries to get into his account from a different computer or device in the same house/apartment it will ask the questions to "Bob", but not to "Joe" since it recognizes his device(s)?

Hoping I am making what I am trying to do clear.

Improve this question
7
  • upon login, you create a random key, which you then store in the users cookies. Once the user checks back to your site, you can lookup for the key and verify the user is authenticated. Commented Oct 22, 2017 at 14:15
  • Normally you need to store authorization cookie into user's browser upon successful authentication and then check if this cookie is available. Make sure that cookie is marked as "http only" Commented Oct 22, 2017 at 14:15
  • so to make sure I am understanding this correctly, create a cookie marked "http only" upon registration / successful registration, and put a generated random key in that cookie for the server to check for when logging in to authenticate the user, correct? Commented Oct 22, 2017 at 14:18
  • 2
    Use sessions: php.net/manual/en/intro.session.php Commented Oct 22, 2017 at 14:37
  • 2
    I know it took you a lot of effort, and you saw security questions in many "major" sites, but it's a really bad an anoying security policy. Commented Oct 22, 2017 at 16:43

1 Answer 1

Reset to default
2

I am trying to set up a site that has the user setup security questions and answers for their account upon registration (This part I can manage without issue).

This is a bad design, and leads to situations like the time Governor Sarah Palin's email was hacked via password reset questions.

Is there a way to do it via MAC Address or some unique identifier for their specific machine or device.

No, your local MAC address isn't transmitted to remote servers. Any other such hardware identifier is easily spoofed.

What I can't figure out how to do is have the site recognize the user's computer when they go to log in so they don't have to answer the questions each time they log in.

In that case, what you want is a slight variant of long-term authentication cookies that serves to partially authenticate the user so they don't need to go through extra security measures.

Normally the design I linked to is for "remember me on this computer" checkboxes that cause websites to automatically log users in even when they close their browser. However, you can repurpose it to solve this sort of problem.

However, I strongly advise against bothering with security questions. Have you considered two-factor authentication (FIDO U2F or TOTP; never SMS) as your extra security layer instead of easily-defeated security questions?

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.