Is this a secure way of authenticating, advice on what to change?
I have a few terminals that I currently use a static IP to authenticate. The problem is in my country the internet is not stable, so often I have to switch to mobile data, then the terminals can't authenticate because their IP addresses changes.
The solution I have thought of is using the MAC address of a terminal as a Username, and then for the password I would generate it as follows:
My concern is
CustomFooAlgorithmis basically a shared secret across all terminals. Also I am not sure how to create such an algoirthm that would not be easy to figure out. Could this work? I like that their is no customisation per a terminal.
A more complicated way
I am guesing I would have to create an additional secret token for each terminal, and also store the secret token on the server. Then the webservice could seed some common hashing algorithm with the server token, and the secret token, to generate an OTP.
I thought one could generate the secret key from the mac address, but that is indirectly the same as doing
CustomFooAlgorithm, just splitting it into 2 steps. The advantage of two steps is then a generic algorithm can be used for step 2.
Don't Reinvent the wheel
Should I just use TOTP instead of the above? Its about the closest "off the shelve solution" I can find to solving my problem.
inna last edited by
Don't reinvent the wheel when there are very good and safe wheels available and you are not a Certified Wheel Engineer.
You have a couple options to try before implementing your own.
On the client side, there are mobile applications, desktop applications and browser extensions for generating the token.
2. SSH public key authentication
This is a little less user-friendly if your intended audience isn't tech-savvy. Install SSH on the server, disable password authentication and only allow public key authentication. Put the terminal service listening only on localhost and use SSH Tunneling to connect from your desktop to the service.
This is a little safer than pure OTP because all traffic will be sent inside an encrypted tunnel, so even if the protocol for the terminal service is cleartext by default, it will be encrypted. Another layer of security is that the terminal service is not exposed on the public internet.
3. Client Certificates
This is more complex and time consuming, but it's more user friendly on the daily activities. You have to issue a certificate for each user, and configure the server to only allow those certificates to connect.