Originally posted by Robert
While your suggestion doesn't resolve my issue of finding an alternative to hardware-id based authentication, I like your unique implementation of using a hardware-id as the salt for each user's hashed credentials. If I'm not able to find a suitable alternative to using their HWID, I will likely take your advice. Thanks
Actually salting their credentials with the hwid wouldnt work alone, because if they use a different computer then they are still in the same situation. What you can do is ask the use if they are logging in from a new location, and send a email to them with a temporary token. That way it saves you the headache of changing the hwid yourself.
One of the apps i've made would encrypt the users credentials upon request using AES ECB PADDING, and i use a public token that store on the phone (encrypted ofc) and on the server so that the server knows how to decrypt it. I also have different header fields that makes the system a bit more complex to crack at. Using tokens on my system also makes it more secure so it prevents another user from hijacking another user. I'll probably do a tutorial later in the week.
Hwid isn't so bad but it can be a bit faulty. But like i said before you can ask if the user is signing in from another device -> send email with temporary token -> and have them reset themselves.