Verify user identity for additional device registration
Your users can register multiple devices. When a user attempts to register an additional device, you must identify the user first to prevent attacks.
An attacker might be able to register their own device on behalf of an existing user if you do not verify the identity of the user at the registration of an additional device.
Recommended solution
To prevent attacks, ensure that a user is strongly authenticated when they attempt to register a new device. Implementing one of the following solutions can ensure that the requester and the user are the same person:
- Only allow registering additional devices to users whose session was initiated by multi-factor authentication using Authentication Cloud as the second factor.
- Require a transaction approval for the registration of an additional device.
If the requester can identify themselves as the user with the already registered device, then the registration of the new device is allowed.