Device Authorisation: Secure Access

TL;DR

This guide shows you how to securely let a new device access a user’s resources (like files, photos, or accounts). We’ll use a combination of one-time codes and verification steps to make sure only the right devices get in.

Steps for Device Authorisation

1. User Initiates Authorisation: The user starts the process on their trusted device (phone, laptop). This usually involves logging into their account.
2. Generate a One-Time Code: Your system creates a unique code specifically for this authorisation attempt.
   • This code should be time-limited (e.g., valid for 5 minutes).
   • The code needs to be random and hard to guess.

   # Example Python code (using a library like secrets)
   import secrets
   code = ''.join(secrets.token_hex(4))
   print(code)

3. Display the Code: Show the one-time code to the user on their trusted device.
   • Clearly instruct them *not* to share this code with anyone.
   • Provide a way for the user to copy the code (e.g., a ‘copy’ button).
4. Device Enters Code: The new device prompts the user to enter the one-time code.
   • The device should have a clear input field for the code.
   • Provide helpful error messages if the code is incorrect or expired.
5. Verify the Code: When the device submits the code, your system checks it.
   • Confirm the code matches the one generated for that user.
   • Check the code hasn’t expired.
   • Ensure this code hasn’t already been used (prevent reuse).

   # Example verification logic (pseudocode)
   if code_matches and not code_expired and !code_used:
     authorise_device()
   else:
     display_error("Invalid or expired code.")

6. Device Fingerprinting (Optional but Recommended): After successful code verification, collect information about the device to create a ‘fingerprint’.
   • This could include the operating system version, browser type, and unique device identifiers.
   • Store this fingerprint securely.
   • Future logins from that device can be automatically authorised based on this fingerprint (with user consent).
7. Confirmation & Access Granted: If the code is valid and the fingerprint is created successfully, confirm to the user that the device is now authorised.
   • Grant access to the requested resources.
   • Provide a way for the user to revoke access later (e.g., in their account settings).
8. Security Considerations:
   • Rate Limiting: Limit the number of code generation attempts per user to prevent brute-force attacks.
   • Secure Communication (HTTPS): Always use HTTPS to protect the one-time code during transmission.
   • Code Storage: Store codes securely and delete them promptly after use or expiration.
   • Two-Factor Authentication (2FA): Consider integrating this process with existing 2FA methods for added security.