On Sat, Sep 23 2017, Amen em hat Ankh wrote: > in that constellation Frank would never deal with URLs, usernames or > passwords and no private data is transfered through the net when he > down or uploads stuff, except the the one and only time when he > registeres a new device.
How do you authenticate the device to be whitelisted though? If I understand this correctly, you would first generate the QR manually, then scan it right away. So being able to scan the code is what grants you access. After scanning, a token is sent to the server to be whitelisted. However, you'd need to validate the new device manually as well in order to be different than simple password authentication. Hashing hardware information is useless if I can eavesdrop the connection, as I can impersonate any token you provide. You need to share a secret with the server first.