0

My case is I'm designing an app based on chromium browser powered by Electron .

And I need sometimes to log the clients in with some web apps. The password is only visible as dots in browsers by default.

I will have access to their computers by Remote Desktop Applications each time I need to authorize them in that web app without then to know the passwords used.

What are the most advanced methods to make this process more secure?

ahmad.bdw
  • 1
  • 1
  • @schroeder My app is based on chromium browser that will be installed on my client's devices to run a web app and do some activates, sometimes I will connect to their devices by Remote Desktop Apps in order log them in that web app, I want to make sure they do not know that web app's password each time I do this process – ahmad.bdw Jan 20 '22 at 16:44
  • So basically, you need to remotely access someone else's computer and enter a password, but want to make sure they can't intercept or record the password? – nobody Jan 20 '22 at 17:00
  • 1
    Then use one time passwords (e.g. randomly generated passwords or an access token), embed the password into a link and send a fresh link every time the user have to start your app. The password/token is only valid one time, so it doesn't matter if the user is able to see it. – Robert Jan 20 '22 at 17:04
  • @nobody Exactly – ahmad.bdw Jan 20 '22 at 17:06
  • @Robert It's a crypto wallet's password; MetaMask Wallet, I can't send fresh link neither token. The only way is to enter password to unlock the wallet then restrict them to do any further operation on the wallet extension – ahmad.bdw Jan 20 '22 at 17:09
  • I don't want them to record the password when I enter it, using some keyloggers etc... – ahmad.bdw Jan 20 '22 at 17:12
  • 1
    If the user can gain money then your password approach will be broken in a few days by a sophisticated user. If the user own the wallet (s)he should also be in possession of the wallet password. If not then the user [system] should never get access to the password. – Robert Jan 20 '22 at 17:12
  • @Robert The users are considered as employees, They are limited and will be reviewed and trusted as much as possible. The wallet is for me I just want them to authorize them with a web app then restrict them from doing anything with the wallet expect their work on that web app – ahmad.bdw Jan 20 '22 at 17:15
  • 1
    It doesn't matter what organizational measures you take. If you ask on Information security for "Most Secure way" then the answer is "never send the password to the user". There are other approaches to ensure security of a wallet e.g. using the "Two-man rule" implemented as crypto algorithm. Or process everything on a server (secure environment) the user can't access and only gets a temporary password for. – Robert Jan 20 '22 at 17:20
  • @Robert I know It's always will be tricks in security whatever was the system is strong. I just want the best way to make this operation more secure. I tried nearly everything you mention. The only way to my case is this. If you have some another advices, Would be appreciated a lot – ahmad.bdw Jan 20 '22 at 17:33

0 Answers0