I use Devise, and I want to detect if user login from other device. (I don't want to restrict second session, so devise secure extension won't work).
So the question is - how to detect if user login from multiple devices in same time.
You could detect the device with fingerprintjs2. When the user logs, store the fingerprint in the session and query the session store if the user is on a new device or not.
Related
I would like to create a kiosk-mode with limited functionality for my app, which would require a user password to be entered to unlock the kiosk-mode and get back to poweruser-mode. In doing so, I would prefer to not create my own password system, but I would rather prefer to have the user authenticate using their existing Apple-ID. They will already be logged into their Apple-ID, but is there a way for me to request they log in again?
Maybe I'm just being lazy.
There is no way to make users log into their Apple-ID again on demand, if needed Apple will authenticate users as needed, but for us as app developers this is a closed system.
You can look at LocalAuthentication for example like banks do where user would have to authenticate with their passcode or biometric data to access some features of the app...
If I have a corporate app that we want to use TouchID for but need to prevent unauthorized access in the scenario where staff have a registered fingerprint of another member of their family on their device, what could be done?
What you want isn't supported. The LAContext feature that lets your app ask iOS to authorize a user based on fingerprint (or Face ID on an iPhone X) only tells you whether the user successfully provided a valid fingerprint for the device. That's it. There is no way to know who the user is or if even there are multiple users.
If a user has access to the device (fingerprint or passcode), then the user will have access to the app if the app's only security is to use LAContext.
How do I configure Devise so that if a user signs in from another device (not Devise!) and has failed to log out from that other device such that the user is asked if a forced log out of the OTHER log-in should be done?
I assume Devise can detect that a new session is about to be created. Is my assumption correct?
Basically, I need only a single user signed in to be using my application at any one time. Is this possible to do? That is, if I have two valid users x1#xyz.com and x2#abc.com, the two users can both be signed in at the same time but x1#xyz.com and x2#abc.com can each be only signed in once.
You can use this gem: https://github.com/phatworx/devise_security_extension
specifically the :session_limitable module
Context
I am using Parse.com as my backend for a mobile app. I use Facebook login only for now.
Assuming the user has logged in with Facebook and now has an account created on Parse already.
Question
Every time the user opens the app, should I do a check if his account is still valid by using PFUser.currentUser().become()? Or should I use the cached PFUser.currentUser()?
I have found out that if I delete the user account in the Parse backend, if I don't do a become(), the PFUser.currentUser() is still valid, even if the account does not exist anymore.
What is the best practice?
It's generally better to add a column to the user such as 'disabled', and when the app starts you can refresh the user, check that flag and display a message to the user and logout. That, from a user point of view, is similar to using become (at least as long as you check and notify the user).
So, you should do something if you're going to be removing or disabling users in the background. The main question is wether you fully delete the account or just delete the contents but leave the (empty) user in the system as a record.
I am developing an enterprise application which has user authentication which will be validated at the server side whenever user tries to login through web-service.
I have got a requirement to use iOS touch id for authentication as Apple released the API for 3rd party apps from iOS8.
I could able to find the tutorials on How to use the Touch ID for local authentication, but I am not able to understand how to map my user credentials with the Touch ID.
The exact requirement is user should be able to login to the application with Fingerprint Scanner i.e. using Touch ID but the backend validation should also happen.
How to map the User credentials with the Touch ID finger print? is it possible? if YES, where to store the mapping on local or server side?
Could anyone please help me to understand/implement the same.
Thanks in advance.
Working with TouchID is very easy, For your cases, There is two ways to authenticate user:-
Assumption:- When user is login, we are on application end storing secret token which helps us to validate user.
Using TouchID(iOS 8):-
Using Touch ID, we will get success call back from LAContext user authentication methods if user fingerprints are valid. After that we can acknowledge server directly if required & no required to validate user on server as it is already validate them self using fingerprint scanning.
We must be need to handle authentication fallback mechanism to handle such scenario like "failed to detect finger prints, etc.", In that case we need to authenticate user using Custom PIN or Device Passcode.
Custom PIN/Device Passcode(iOS 9):-
We can either user Custom PIN or Device passcode to authenticate user.
If we are authenticate user with Custom PIN than we required to store user authentication PIN on server & authenticate user every time when access application from background.
If we are authenticate user using Device Passcode(iOS 9), When user enter correct PIN, we will get success call in LAContext user authentication method. After that we can acknowledge server or directly give application access to user.