How CARES protects your account with device-based identity
CARES uses device-based identity to protect your account from unauthorized access. Every device you use to log in is fingerprinted and registered to your account. This means even if someone obtains your password, they cannot access your account from an unrecognized device without your explicit approval.
Key principle: Your points, rewards, and account actions are tied to your trusted devices. A maximum of 3 devices can be registered to any account.
When you create your account or log in for the first time after device security is activated, your current device is automatically registered as your primary trusted device. No additional steps are needed.
Your primary device has full, unrestricted access to all platform features immediately.
When you log in from a new device (different phone, tablet, computer, or browser), the system detects it as unrecognized. Here's the step-by-step process:
Enter your username and password as normal on the new device.
Instead of logging in, you'll see a message: "New device detected. A verification code has been sent to your email."
You'll receive a 6-digit verification code from CARES Security. This code expires in 30 minutes.
Log in on your primary device, go to your Profile → Trusted Devices, find the pending device, and enter the 6-digit code.
The new device is approved but enters a 7-day cooldown period. During this time, the device can log in but has restricted access (see below).
After 7 days, the device becomes fully trusted with unrestricted access. An admin can expedite this if needed.
The verification code is a critical security layer. Key details:
Important: Your email address is encrypted in our database. Even in the unlikely event of a data breach, your email cannot be read by attackers.
After a new device is approved, it enters a 7-day cooldown period. This is your safety net.
The cooldown gives you time to notice if someone else added a device to your account. You'll see alerts on your primary device and receive an email notification. If you didn't add the device, you can revoke it before it gains full access.
Need faster access? Contact a platform admin to expedite the cooldown. Admins can verify your identity and grant full access immediately.
Visit Profile → Trusted Devices to see all devices registered to your account.
Each account can have a maximum of 3 devices (active + pending combined). If you need to add a new device but are at the limit, revoke an old device first.
If you see a device you don't recognize:
Even if an attacker somehow gains your password and intercepts your email verification code, the 7-day cooldown prevents them from performing any damaging actions like draining your points. You will see a warning banner on your primary device alerting you to the new device.
Platform admins can help with device issues:
To contact an admin, use the "Contact Admin" link shown in cooldown banners, or reach out via Discord.
A device is identified by its hardware and software characteristics (screen, graphics, browser, OS). Using a completely different browser on the same computer may register as a new device.
Device fingerprinting is based on hardware characteristics, not cookies. Clearing your browser data will not usually change your device fingerprint. However, major browser updates or OS changes might.
If your device is no longer recognized (e.g., after a major OS update), you'll go through the new device flow again. Your old device entry can be revoked from the new one once approved.
The limit is 3 devices per account. Revoke a device you no longer use to free up a slot.
Yes. Your email address is encrypted at rest using AES-128 encryption. Device fingerprints are double-hashed (client-side SHA-256 + server-side HMAC) so even a database breach reveals nothing about your devices or identity.
Screen resolution, OS, browser type, hardware characteristics (CPU cores, memory), and rendering signatures (Canvas/WebGL). No personal data is collected — it's a hash of technical signals only.