On Sat, Sep 23 2017, Amen em hat Ankh wrote:
> in that constellation Frank would never deal with URLs, usernames or
> passwords and no private data is transfered through the net when he
> down or uploads stuff, except the the one and only time when he
> registeres a new device.

How do you authenticate the device to be whitelisted though?

If I understand this correctly, you would first generate the QR
manually, then scan it right away. So being able to scan the code is
what grants you access. After scanning, a token is sent to the server to
be whitelisted.

However, you'd need to validate the new device manually as well
in order to be different than simple password authentication. Hashing
hardware information is useless if I can eavesdrop the connection, as I
can impersonate any token you provide. You need to share a secret with
the server first.

Reply via email to