Would it be a good idea to use a form of device fingerprint to detect that the token might being used by a different device that one initially used to generate it and therefore the token revoked?
I’m not saying to use this measure to replace others, but as an additional check.
I’m aware that devices will try to avoid offering a fingerprint, but even a non unique fingerprint like “country” or “OS” based looks better that no check at all.
Even considering that a fingerprint can be relatively easily manipulated, as the information is stored either in the obfuscated refresh token or backend database it will be hard for an attacker to replicate it.
If this is a good idea, what would be good parameters to use as fingerprint?
Operative System, App Version, Browser, User Agent, Server Country, Country, Language, Platform?