How secure site API

moawia · May 26, 2015, 6:32pm

Hi,

I’m developing a site that will provide API to mobile app (read/write/update), in the app the user should enter his given 4 digit PIN to enter only.

I thought to create random 20 character as key and linked it to the PIN, the user on the first login only should enter the key, and that will create a cookie from the key with lifetime of his subscription.

The site will also use SSL.

Do you know better simple way? what do think about my solution ?

Thanks

moawia · May 28, 2015, 3:00pm

Anyone has this issue before?

cpradio · May 28, 2015, 4:33pm

Can you explain it a bit better, is this similar to the TV apps that used to display a 4 character code for you to enter on their website to link your account (that pretty much no one uses anymore… for some odd reason)?

I’m struggling to figure out why you wouldn’t just use someone’s username and password to activate/link their account.

moawia · May 28, 2015, 5:11pm

The mobile app will be used by low educated people, and it will be difficult to them to enter each time username and password, so I was thinking to let them enter only one time the API key and the device will be registered at the back-end, thereafter anyone can just enter his PIN code to enter if his PIN code linked in DB with this key.

For each group/company will have one API key, this key has expire date, once it is expired none of the PIN codes will work for the group/company.

If I’m going with username & password, then its should be easy and not complex, and that will risk the API function, moreover the same key will be used on desktop to generate reports.

moawia · May 28, 2015, 5:21pm

have a look at this article: https://stormpath.com/blog/top-six-reasons-use-api-keys-and-how/

cpradio · May 28, 2015, 5:40pm

Ah okay. Note that by reducing your string to 20, you are reducing your entropy by more than half of the articles recommended 40 characters. To put that into perspective, I can tell you Slack uses 40 characters and Discourse uses at least 100 (the single key I generated was 106 characters).

Entropy is your biggest asset here, as it is your best assurance to security.

moawia · May 28, 2015, 7:47pm

Sorry, I didn’t get you, would you please explain more.

Mittineague · May 28, 2015, 7:59pm

Extremely over-simplified and not a technical explanation by any means, but think of it this way

site A requires a 4 digit PIN
site B requires a 2 digit PIN

Assuming you doon’t know the values and want to “brute force” your way in, which site would be more of a problem for you?

site A with 10K possible values to try or
site B with 100 possible values to try

system · August 28, 2015, 3:05am

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.