0

I am trying to solve the classical approach to how user login pass token is stored in web browsers. By default, anyone who can access the developer's consoles of the browser can obtain the content in password fields by looking at the HTML content of the input element or using javascript.

Because of this, if by mistake someone comes across your login password, he/she can use it on any browser to access your data from the server.

To solve this problem, I am researching a way which on an attempt to login the server will generate a unique pair ID from the client's Unique ID and let the client store this server generated ID as the user's login pass for this client only, such that if the server generated ID is used in attempt to log in from another browser, the server will compare the associated browser ID to the accessing unique ID before permitting access.

Consequently, A server generated login can only be valid on the client who generated the ID, the real password is never stored on the client, but only used on the first attempt to login on a client who does not have valid server ID. The user will have the opportunity to invalidate all the server-generated pass.

For this to work, I need a unique token from the browser such that if 10 instances of the same browser are installed on the computer within a time-space less than 1 second, the ID of this browsers will never be the same.

My question is, can such Unique ID be obtained from the browser? any suggestion on how to go about this is also appreciated.

Ndifreke
  • 732
  • 1
  • 8
  • 13
  • It's not entirely clear to me what problem you are trying to solve or what your view is on the classical approach on how login tokens are stored on the browser. But your password should never be stored/present on the client side in the first place with the exception of when the user types it. What are you trying to solve? If you want a secure "Remember me", then take a look at [this question](https://stackoverflow.com/questions/244882/what-is-the-best-way-to-implement-remember-me-for-a-website). – Ivar May 11 '19 at 15:35
  • 1
    You might look into [WebAuthn](https://developers.google.com/web/updates/2018/05/webauthn) with a Security Key. – Josh Lee May 12 '19 at 18:52

1 Answers1

1

In general, you can't uniquely identify a browser installation in the way you describe. This is, in part, to protect users' privacy from tracking across the web.

Your ultimate goal (preventing an attacker from authenticating if they discover the user's password), however, can be satisfied with a one-time-password system, like TOTP.

In a system like this, when an account is set up for one-time passwords, the user and service share a secret. Later, when the user logs in, they are prompted for a one-time password, which they generate using special software, which is isolated from the client, and ideally on another device. For example, the user might use the Google Authenticator app on a smartphone to generate a code that they enter on their desktop browser.

Even if the attacker captures the user's conventional password with a key logger, they can't authenticate themselves because they don't have access to the shared secret necessary to compute the one-time-password.

Universal 2nd Factor authentication is another approach to thwart key loggers based on some parallel concepts. (That is, it also uses a one-time code, generated with a secret that is securely stored rather than being exposed on the client.)

erickson
  • 265,237
  • 58
  • 395
  • 493