Currently i'm trying to implement a device two factor authentication in which every time a user logs in, if that device wasn't recognized with the user the user will have to perform some sort of two factor authentication.
Currently i'm using System.Web.HttpBrowserCapabilities however, this is becoming a huge inconvenience because of automatic browser upgrades. I'm curious if someone has a better method or any suggestions.
Thanks!
Use a device cookie
It says "this user has successfully authenticated on this user agent in the past"
You probably want to include their username (or user id), a timestamp, and a random value (a nonce), and an HMAC of this info
Make sure this cookie is marked "secure" (HTTPS only) and "HttpOnly" (cannot be read by JavaScript)