Fingerprint to expire Refresh tokens

Would it be a good idea to use a form of device fingerprint to detect that the token might being used by a different device that one initially used to generate it and therefore the token revoked?

I’m not saying to use this measure to replace others, but as an additional check.

I’m aware that devices will try to avoid offering a fingerprint, but even a non unique fingerprint like “country” or “OS” based looks better that no check at all.

Even considering that a fingerprint can be relatively easily manipulated, as the information is stored either in the obfuscated refresh token or backend database it will be hard for an attacker to replicate it.

If this is a good idea, what would be good parameters to use as fingerprint?
Operative System, App Version, Browser, User Agent, Server Country, Country, Language, Platform?

1 Like

It’s very difficult to provide a yes or no type of answer to these sort of questions, but personally I would tend to be on the no side on this one given that sounds like something that will only result in adding significant complexity to the system without bringing sufficient benefits. In addition, I wouldn’t even be sure if doing something like that would not require a more in-depth look from the perspective of privacy laws.