Our definition of Trusted Device:
Alice logs in with her username and password for the first time on her new computer.
An email is sent to Alice with a verification link.
Alice clicks the link, and she is now logged in, and the device is considered trusted.
The next time Alice logs in from this computer, email verification is skipped because her device is considered trusted.
Our definition of MFA with mobile app:
Bob logs in with his username and password.
Bob is prompted with a token field.
Bob starts his MFA app (Authy, Google Authenticator or similar)
Bob enters the generated token (or preferably accepts a push message sent to the phone as it is more simple) and is successfully logged in.
Things we don’t consider good ways of solving this problem:
- Using authentication with Google or Facebook accounts or similar rather than built-in AwareIM user database.
- IP address or user agent fingerprinting is not a unique identifier when identifying a Trusted Device