I have kind of a unique usecase:
- Phones that are used to connect to the app might be shared
- Connections are very unstable (sometimes no connection for half a day)
- Data should be accessible through the interface only by an authenticated user
- The data should be accessible after the first login for each user
- Users are not really tech sure
PWAs use JavaScript and therefore do have a restricted possibilities for encryption.
My current setup is
- angular app with pwa possibilities
- PouchDB with remote CouchDB sync for data
I feel like it is not a good idea to store user credentials on the device even if they are encrypted, especially when using JavaScript.
Is this even possible to achieve? And what kind of flow would you recommend. I thought about creating a unique (short, four letter) token that the user has to remember when logging out. It is stored encrypted together with the username. This token in combination with the username can then be used to relogin as long the application is offline. As soon as the app is online again the user is asked to login with its real credentials. If this succeeds the token is deleted and a new one is created (and shown to the user) when the user logs out.
Best Answer
You are correct that storing the users password on the device to authenticate against is not a good idea. When you say "Encrypted" I'm going to assume you mean "Hashed" for the password - If not then that's an entirely different conversation!
The reason for this is that if the hash is stored for offline authentication then the password can be brute forced without a request hitting your server, meaning any brute force protection you have is redundant.
The best thing to do with your requirements would be to have a pin code to login, like you suggested. You can encrypt the users data with their username & pin code meaning only they (or someone brute forcing the code) can decrypt it.
As for regenerating the pin on every successful online "session" in the app: The scenario it protects against is if a malicious user get's the pin code, logs in & views the data, gives the phone back, real user logs in etc. and malicious user somehow get's the phone again. The key point here is it needs a malicious user to have the unlocked phone multiple times to be of any value.
If this is a possible scenario then by all means do this. Just know that it severely impacts usability as the uses WILL forget the key, it is inevitable. This will mean being unable to login offline. If instead you user a user generated key (like banking apps etc.) then this would solve the issue.