I’m developing a site that will provide API to mobile app (read/write/update), in the app the user should enter his given 4 digit PIN to enter only.
I thought to create random 20 character as key and linked it to the PIN, the user on the first login only should enter the key, and that will create a cookie from the key with lifetime of his subscription.
The site will also use SSL.
Do you know better simple way? what do think about my solution ?
Can you explain it a bit better, is this similar to the TV apps that used to display a 4 character code for you to enter on their website to link your account (that pretty much no one uses anymore… for some odd reason)?
I’m struggling to figure out why you wouldn’t just use someone’s username and password to activate/link their account.
The mobile app will be used by low educated people, and it will be difficult to them to enter each time username and password, so I was thinking to let them enter only one time the API key and the device will be registered at the back-end, thereafter anyone can just enter his PIN code to enter if his PIN code linked in DB with this key.
For each group/company will have one API key, this key has expire date, once it is expired none of the PIN codes will work for the group/company.
If I’m going with username & password, then its should be easy and not complex, and that will risk the API function, moreover the same key will be used on desktop to generate reports.
Ah okay. Note that by reducing your string to 20, you are reducing your entropy by more than half of the articles recommended 40 characters. To put that into perspective, I can tell you Slack uses 40 characters and Discourse uses at least 100 (the single key I generated was 106 characters).
Entropy is your biggest asset here, as it is your best assurance to security.