I am developing a mobile application for a company. Everyone in the company has an email address @ company.com. The application itself is confidential, so it will only be installed on employee devices. This application communicates with an external server to store and retrieve data.
Ideally, what I would like to do is let people log in to the app simply by entering their email address without a password. Here is my current thinking:
- A new user first opens the application on a specific device and places his email address. The email address is sent to the server along with the static token built into the application (which is the same for all instances of the application).
- The server checks the token and the fact that the email address is @ company.com. It responds with a new token / key for use only with this user and the device that the client stores locally in clear text. This key is actually the user's password. It is hashed, stored in the server database, and marked as disabled.
- There are currently two possibilities:
- The server sends an email to that address confirming that they want to log in to the new device. The email contains a link that, when clicked, marks the key as enabled. For new device requests, you need to limit the speed so that people cannot receive spam if someone detects a marker embedded in the application.
- The administrator specifically approves new device requests.
- .
, SSL, ? ?
, , ? , , , . (PHP) Drupal drupal_get_token():
function get_token($value = '') {
$salt = hash('sha256', 'Some static, predefined phrase');
$hmac = base64_encode(hash_hmac('sha256', $email, $salt, TRUE));
return $hmac;
}
, (, - , , , ), , , , . , , , (, , , ).