ASP.NET, WCF: how can I authenticate a calling application? Not the user, the application itself

Question

For a few reasons, the bunch I'm working for don't want to use certificates and don't like the idea of a service that can be accessed by anybody with a valid logon.

My question is how can I authenticate an application as being an official application suited for use with these wfc services without using certificates?

They are trying to avoid a situation where inquisitive customers are clever enough to retrieve the service calls and have enough infrastructure to build their own clients to use them.

Answer 1

We used a magic number scheme in one job where we paired a generated magic number with a range of IPs. However we also used username passwords just one idea.

Answer 2

I think this is hardly achievable. If you expose service you are just saying "Hey, here is some functionality you can use if you have valid credentials". Identification of calling application is just another data send in a message. So if you have clever customer who has valid credentials and valid IP (if you use some filter) he can just send the same identification from his own application. If you create some clever algorithm for creating random valid application ID you would still ship that algorithm with your client application so you would need obfuscation to secure its code from reverse engineering.