Is this a secure way of authenticating, advice on what to change?

Question

I have a few terminals that I currently use a static IP to authenticate. The problem is in my country the internet is not stable, so often I have to switch to mobile data, then the terminals can't authenticate because their IP addresses changes.

The solution I have thought of is using the MAC address of a terminal as a Username, and then for the password I would generate it as follows:

When the terminal goes to the log in page, a token is provided by the server. The javascript uses this token and passes it into an application (web service) running locally. This local webservice returns then reads MAC address of the terminal, and uses the MAC address and the token from the server to seed algorithm CustomFooAlgorithm to generate an OTP. Then the webservice replies to the javascript request with the username and password, which the terminal then attempts to log into the server with.

My concern is CustomFooAlgorithm is basically a shared secret across all terminals. Also I am not sure how to create such an algoirthm that would not be easy to figure out. Could this work? I like that their is no customisation per a terminal.

A more complicated way

I am guesing I would have to create an additional secret token for each terminal, and also store the secret token on the server. Then the webservice could seed some common hashing algorithm with the server token, and the secret token, to generate an OTP.

I thought one could generate the secret key from the mac address, but that is indirectly the same as doing CustomFooAlgorithm , just splitting it into 2 steps. The advantage of two steps is then a generic algorithm can be used for step 2.

Don't Reinvent the wheel

Should I just use TOTP instead of the above? Its about the closest "off the shelve solution" I can find to solving my problem.

Answer 1

Don't reinvent the wheel when there are very good and safe wheels available and you are not a Certified Wheel Engineer.

You have a couple options to try before implementing your own.

1. OTP

OTP is easy to use. There are already libraries for implementing them in a safe manner on Javascript (client and server side), Python, Perl, PHP, C, Java, and I guess it isn't that difficult to write one in Cobol if you need.

On the client side, there are mobile applications, desktop applications and browser extensions for generating the token.

2. SSH public key authentication

This is a little less user-friendly if your intended audience isn't tech-savvy. Install SSH on the server, disable password authentication and only allow public key authentication. Put the terminal service listening only on localhost and use SSH Tunneling to connect from your desktop to the service.

This is a little safer than pure OTP because all traffic will be sent inside an encrypted tunnel, so even if the protocol for the terminal service is cleartext by default, it will be encrypted. Another layer of security is that the terminal service is not exposed on the public internet.

3. Client Certificates

This is more complex and time consuming, but it's more user friendly on the daily activities. You have to issue a certificate for each user, and configure the server to only allow those certificates to connect.