(adsbygoogle = window.adsbygoogle || []).push({}); I no longer want to limit my users to one computer-per-user as it has created quite a headache over my customers constantly asking to have me reset their HWID when they get a new PC. I'm fully aware that this process can be easily automated, however I would rather switch to a system that doesn't require the customer to go through the same headache that I have put myself through.

The point of this thread is to hopefully gain some insight on what other authentication systems people have in place. I appreciate any and all suggestions.

Use hwid as a salt to the user credentials, and if you want take it a step further any request they make you can send a request and have the server send back a token. When the user makes another request, have the user use that token and upon recieving another response send back another token

While your suggestion doesn't resolve my issue of finding an alternative to hardware-id based authentication, I like your unique implementation of using a hardware-id as the salt for each user's hashed credentials. If I'm not able to find a suitable alternative to using their HWID, I will likely take your advice. Thanks

Actually salting their credentials with the hwid wouldnt work alone, because if they use a different computer then they are still in the same situation. What you can do is ask the use if they are logging in from a new location, and send a email to them with a temporary token. That way it saves you the headache of changing the hwid yourself.

One of the apps i've made would encrypt the users credentials upon request using AES ECB PADDING, and i use a public token that store on the phone (encrypted ofc) and on the server so that the server knows how to decrypt it. I also have different header fields that makes the system a bit more complex to crack at. Using tokens on my system also makes it more secure so it prevents another user from hijacking another user. I'll probably do a tutorial later in the week.

Hwid isn't so bad but it can be a bit faulty. But like i said before you can ask if the user is signing in from another device -> send email with temporary token -> and have them reset themselves.

Did Smithy provide all the info you wanted? If so let me know so I can close the thread for you :p

Yeah, you can close it.

Closed as requested.