How to remember a trusted machine using two factor authentication (like Google's system)

I don't think that it is entirely possible with just JavaScript/PHP (or some other server side language) to uniquely imprint/identify a computer.

Remember, whatever you do, someone with malicious intent can just copy the Chrome/Firefox user data directory to a similar system (same OS, etc). Indeed, that's the easiest thing to do, since you don't have to hunt for the cookies. JavaScript can't read anything outside these directories, so they have just duplicated the system.

However, you can use Flash/JavaScript to fingerprint the browser. Unfortunately, the browser fingerprint can change if the user installs fonts/etc. Besides, your users will have to allow the Flash/JavaScript to run -- nowadays quite a few people are disabling JavaScript due to the recent 0 Day exploit. You don't want to force your users to have to use these. Anyway, one can easily replicate a fingerprint by replicating the system (which takes time, but isn't too hard).

In the end, two factor auth is all about (a) having a password, and (b) having physical access to a device. If you are giving someone unsupervised access to your computer while logged in as you, part (b) is compromised anyway, in a different manner.


To answer your question, though:

  • You can put a unique GUID in a cookie
  • You can put another GUID in localStorage
  • You can associate part of the browser User-Agent request header with the account. For example, my User Agent is User-Agent:Mozilla/5.0 (X11; Linux i686) AppleWebKit/536.11 (KHTML, like Gecko) Ubuntu/12.04 Chromium/20.0.1132.47 Chrome/20.0.1132.47 Safari/536.11. From here, you can extract my browser name (which won't change), OS name and version (which will change occasionally), whether or not my computer is 32 bit, etc.
  • navigator.plugins -- This is an array of all the plugins installed on the browser. Maybe not a good idea for 2 factor authentication, though, since this changes often.

Note that all of these can be easily spoofed. It's just extra hoops for a would-be hacker to jump through.

Again, you can try using fingerprinting techniques that deal with reading the list of installed fonts, etc. Again, this can be circumvented, but it's much harder. You can also use JavaScript to store cookie-like files in random places on the computer (not sure if that's a good idea)

Edit: As Joel mentions in the comments, you should also have a way of revoking "trusted computers" (simply dissociate the GUID in your database). And this should apply when the password is changed as well.