That’s a good question, and an important one: what exactly is a device? As it turns out, as far as Hosted Login is concerned, a device is the combination of a specific piece of hardware (a computer, a tablet, a cell phone) and a specific web browser. For example, suppose a user logs on to a website using a laptop computer and, in the process, marks that laptop as a trusted device. The next time the user logs on to the website using that laptop, they’re able to bypass two-factor authentication.
Note. OK, that’s not entirely true. But just play along with us for a minute.
But what if that same user logs on to the website using a cell phone? This time the user does have to go through two-factor authentication. That’s because their cell phone is obviously a different device than their laptop computer. To avoid two-factor authentication during their next login, the user must also mark their cell phone as a trusted device. At that point, the user has two trusted devices: a laptop computer and a cell phone.
Note. Before you ask, no, there’s no way for a user to get a list of all their trusted devices for a given website.
The fact that a laptop computer and a cell phone are considered separate devices makes sense; after all, they are separate devices. However, you can also have separate devices running on a single piece of hardware. For example, suppose our user uses their laptop computer and the Chrome web browser to log in to a website; when doing so, the user selects the Trust this device for future logins checkbox. At this point, you might think that the user’s laptop has been configured as a trusted device.
But, as it turns out, that’s not true. Instead, the Chrome browser running on the laptop computer has been configured as a trusted device. If the user employs Chrome to log on to the website a second time, he or she will bypass two-factor authentication. But suppose the user decides to access the website by using Firefox instead. Even though the browser is running on the seemingly-trusted laptop computer, the user is required to go through two factor authentication. That’s because the trusted device isn’t the laptop computer; it’s the Chrome browser running on the laptop computer. As far as two-factor authentication is concerned, the user is trying to login from a totally different, and untrusted, device: the Firefox browser running on the laptop computer.
In case you’re wondering, this situation – different browsers being treated as different devices – occurs because part of the process of configuring a device as a trusted device involves the use of a cookie, and cookies can’t be shared between browsers. That means that each browser you log on with requires its own cookie and, as such, is treated as a totally separate device: Firefox can’t leverage the cookie given to Chrome, and vice-versa.
This has several implications, beginning with the obvious one: as we just saw, a single hardware device can have a number of different devices on it. Here’s a less obvious, but equally important one: trusted devices are of minimal use if you’re running your web browser in incognito mode. That’s because, in that mode, cookies are automatically deleted when a browser session ends. If you log on to a website in incognito mode, you can mark your device as a trusted device, and the required cookie will be written to the browser. However, that same cookie is deleted as soon as the browser session ends. That means that, the next time you log on to the website, you’ll have to go through two-factor authentication all over again.
Something similar happens if you configure a browser to delete cookies each time your browser session ends: if you do that, you’ll delete the trusted device cookie and, as a result, will have to go through two-factor authentication the next time you log on.
Here’s something else you should know: a trusted device is also tied to a specific user. Suppose the user firstname.lastname@example.org uses Computer A and the Chrome browser to log on to a website; when doing so, Karim marks his device as being a trusted device. The next time Karim logs on using this computer and the Chrome browser, he’ll be able to bypass two-factor authentication.
Now, suppose the user email@example.com uses this same computer (Computer A) and the Chrome browser to log on to that same website. After Skeeter supplies his credentials, he’ll see this:
Yes, Computer A and the Chrome browser are a trusted device, but only for Karim Nafir. If Skeeter Davis wants to be able to bypass two-factor authentication then he’ll also need to select the Trust this device for future logins checkbox.
In short: a “device” is a specific user running a specific web browser on a specific piece of hardware. In practice it can seem complicated. but it’s really pretty straightforward.