views:

29

answers:

2

What is a good approach for credential checks for windows mobile app. Knowing that it is an occasionally connected device.

Should I keep the user credential into the local database? If the credential doesn't exist in the db, try to see if it has internet access and do the check through a web service?

If both fails then display an error message ?

If logins is successful then store the credential to the local database store then upon next login go against the database first?

Is this a good approach?

+2  A: 

It's difficult for us to tell you what is a "good" approach because it depends highly on what your requirements are, your device, your network and a lod of other things. Your process seems reasonable for an application that needs to authenticate with some remote server. Just a few things to consider:

  • How will you store the local credential? An MD5 hash or something else?
  • Are you authenticating back to something like a server where the cred needs to be NTLM or are you just doing a local app authentication?
  • If the user loses the device and someone else finds it, how does that affect your auth procedures?
  • How do they get the very first auth if they have no network?
  • How secure is your web service? Does it even matter?

I'm sure there are other good questions to ask - these are just the ones that come to mind right now. The point is that only you know what level of security your app needs and what the use-cases are going to be so the best person to judge if an approach is good is going to be you.

ctacke
+1  A: 

I have a similar situation in mobile software we use, we use the following approach:

  • The first login on the device needs a connection to verify credentials. It will store the last used username and a hash of the password locally.
  • The next login, using the same username will hash the entered password and compare it with the local one. If they match, the user is logged in without the need of an internet connection. If it fails the user gets two more attemps, at which point the software asks to verify the credentials through the master server.
  • The next login, using a different username will always use an internet connection to verify. And if it succeeds, it will follow step one again.

Obviously, you need to be aware of the fact that this approach is vulnerable to a brute force attack. There is no way you can prevent a hacker from doing a lot of attemps. You can only try to slow them down (using a slow hashing algorithm and other nags). If you are really worried about such attacks; using a connected login verification method is your only way to go.

There are other things to consider by the way. Is the device connected frequently or really infrequently? Do a lot of different users login on the device while a connection is not available? Answers to such questions could lead you to a single login implementation.

Cloud