4

I am working on a small IOT device that basically is a status display, which includes data about my phone. That means that I have a simple web server running, which can be used to update the devices display using POST requests.

On to my question: Would it be enough to use a UUID as a primitive auth token? Because all this will likely run on an Raspberry Pi, I don't want to use power-hungry libraries.

Anders
  • 64,406
  • 24
  • 178
  • 215
Schwefelhexa
  • 43
  • 4

1 Answers1

4

An authentication token needs to be unguessable. Some UUID's are, some are not. If you go with a UUID v. 4 that is generated with a CSPRNG you should be fine. It has to be cryptographically secure, though!

Another option, since I hope you already have TLS in place, would be to use client certificates.

Anders
  • 64,406
  • 24
  • 178
  • 215
  • I'm still in the prototyping phase, so I didn't set up TLS yet. So basically, as long as I use a non-predictable random number, I'm fine? – Schwefelhexa Oct 24 '19 at 15:05
  • @Schwefelhexa Basically, this token is a password, so you should treat it as such. A very, very large random number makes a good password. – Anders Oct 24 '19 at 15:18
  • @Schwefelhexa On a side note, think about how you store it on the device. You probably want to hash it. – Anders Oct 24 '19 at 15:18
  • Thank you very much! Hashing would really be a good idea – Schwefelhexa Oct 24 '19 at 18:06