Device codes — Simplifying multi-device authentication

What is a Device code? (activation/sign-in code)

Hey all so for those who don’t know what I mean when I talk about a device code, it’s as the pic below shows… you’re setting up Netflix for the first time on your brand new 97 inch tv (show-off), now comes the time to log in. We know you’ve got a strong password or passphrase because you’ve got cyber-security on the brain, but hot-dayum is that a b*tch to type into a screen using a remote control and an alphabetic keyboard.

The Gods at Netflix allow you to use any browser, go to the URL and type in the activation code — et voila, that device is now signed in to your account. Also, means no more typing out your email or remembering that very complex password you created

Not just for Netflix though…

So we can all agree that having to sign into a new device can be painful, especially when we’ve never used the OS of that device before, so let’s take that into some other environments — video rooms/screens, conference phones, wallboards, dashboards, shared meeting room screens etc… That’s right, let’s make all those painful meeting setups go away, no more having to get into the room 10 minutes early to set everything up! Imagine it with me ok…

1. Walk to the pre-booked meeting room
2. Glare at current occupants through tiny door window to let them know that they need to vacate on the hour
3. Turn on the device, hit sign-in via device code
4. Go to the URL on your phone or laptop and type in that device code
5. Drop the mic 🎤

Cool, but like, how?… AKA — Implementation

As these use cases are primarily for shared devices, you’re going to need to make sure the user knows which device they’re authenticating and for how long, and you’re going to need to allow them to easily sign out of the device, here are a few ways…

1. Allow temporary or permanent access duration authorisation — when the user enters the device code, before they confirm, they will need to select whether they want the session to be permanent or temporary (i.e until the meeting ends/end of the hour or day/in 35 minutes etc)
2. Device management — Users can see the sessions that they are currently signed into

Something you might want to consider is OAuth2 — link

Other Security Concerns

I’m a Security Product Manager — you’re not getting off that easy, please consider the following risks to device codes (and how you can mitigate them — I am a solutions person after all)

1. Brute force — The shorter your device code, the easier it will be to brute force, but the longer it is, the more user error you’re going to get. I recommend an 8 character code with a hyphen in the middle to make it easier on the eyes L0V3-T4C0. In addition to this, set a limit on how many times an attempt can be made, 9 should be more than enough, 3 at a minimum
2. Phishing — We got the man in the middle attack where the user goes to the wrong URL, and gets asked to sign in and then well… it’s not good. We also have phishing trying to authenticate other devices, where the user may authenticate the wrong device. Recommendations for this are to keep the authentication within an application and/or make the URL really simple, on top of this, make it incredibly clear which device they are authenticating, give the OS, location, name, whatever possible.
3. Leaving devices logged in — This is kinda covered above, but it’s very important you make it easy for the user to log out and to know what devices are currently signed in to their account

The finisher

Using an existing logged-in session to authenticate another one is such a great user experience — it’s quicker, easier and better than inputting your password in front of your entire meeting participants…

That’s it, much love, Teri ✌

P.S — this isn’t me in the photo, I am seldom that joyous…