I have a webapp, which I’m trying to ensure a single user is only logged in from one device.
Possible Authentication Implementations are:
- Cookies
- API Keys
- JWT (Java Web Tokens)
- Single Sign On:
- Auth0
- Okta
Issue is that, once a user has logged in. They can copy these Cookies, API Keys, JWTs or log in with any of those SSO providers on another device and we wouldn’t know that its a different device.
We can try and monitor the IP Address but multiple devices on the same network (behind a router, in an office for example) will be shared amongst these devices.
Location data will give the same issue, and we also cannot force a device to provide Geo Location Data to use, also its not apart of our use case for usage of our WebApp.
But I would like to limit user authentication to be only for one unique device per login process. so that they cannot login onto another device.
Any suggestions, implementations or Articles that you know of?
Thanks.