Device-specific tokens for authentication

摘要

A user who is authenticated to a system or service across a network can receive a token that includes a device fingerprint. The fingerprint can include information that is obtained from the client device through which the user supplied authentication credentials. The client device can be configured to include that token with subsequent requests. When a request is received, the information in the fingerprint can be extracted from the token and compared to information obtained from the device submitting that request. If the information matches within at least an allowable match threshold, for example, the request can be processed. If the information in the fingerprint does not match the current values of the device from which the request was received, the request can be denied or a remedial action performed.

主权项

1. A computer-implemented method to authenticate client requests, comprising: receiving a first request from a first client device, the first request associated with a first token including a fingerprint; obtaining current device-specific information about the first client device, the current device-specific information comprising at least one current value of properties of the first client device, wherein the amount of device-specific information obtained will be greater when the first client device has not been associated with a user account; comparing a first portion of the current device-specific information to a corresponding second portion of previous device-specific information contained in the fingerprint included with the first token, the previous device-specific information comprising at least one previous value of properties of the first client device, and the fingerprint including information indicating an order in which the second portion of the previous device-specific information is stored in the fingerprint; determining that the order corresponds to a particular order and that the at least one current value included in the first portion matches the corresponding at least one previous value included in the second portion within an allowable match threshold; and causing the first request to be processed.