Device Authentication Without Login

TL;DR

This guide shows how to allow a limited number of client devices to connect to your server without requiring usernames and passwords, using unique device identifiers. This is useful for trusted environments like home networks or small businesses where full login security isn’t essential but you still want control over access.

Solution Guide

1. Choose a Device Identifier: You need a way to uniquely identify each client device. Common options include:
   • MAC Address: The hardware address of the network interface card (NIC). Relatively stable, but can be spoofed.
   • Hardware Serial Number: More difficult to change than MAC addresses, but requires more permissions to access on some operating systems.
   • UUID/GUID: Universally Unique Identifier generated by the device’s operating system. Good for software-based identification.

   For this example, we’ll assume you are using MAC addresses as they are relatively easy to obtain.

2. Server-Side Database Setup: Create a database table to store allowed device identifiers. A simple table structure might look like this:

   CREATE TABLE allowed_devices (
     mac_address VARCHAR(255) PRIMARY KEY,
     device_name VARCHAR(255),
     last_seen TIMESTAMP DEFAULT CURRENT_TIMESTAMP
   );

3. Device Registration Process: Implement a one-time registration process. This is the only time you’ll need user interaction.
   • The client device runs a small application or script that collects its MAC address (see Step 6 for examples).
   • This application sends the MAC address and a friendly device name to your server.
   • Your server validates this request (e.g., checks if the MAC address is already registered) and adds it to the allowed_devices table.
4. Authentication Logic: Modify your server application to check for allowed devices on each connection attempt.
   • When a new client attempts to connect, retrieve its MAC address.
   • Query the allowed_devices table to see if that MAC address exists.
   • If the MAC address is found, allow the connection. If not, deny it.
5. Security Considerations:
   • MAC Address Spoofing: Be aware that MAC addresses can be changed. This method isn’t foolproof security.
   • Database Security: Protect your allowed_devices database from unauthorized access.
   • Limited Scope: This approach is best suited for trusted networks where the risk of malicious actors is low.
6. Example Code Snippets (Python):

   Getting MAC Address (Linux)

   import subprocess
   
   def get_mac_address():
     try:
       output = subprocess.check_output(['ifconfig'])
       for line in output.decode('utf-8').splitlines():
         if 'ether' in line:
           return line.split()[1]
     except subprocess.CalledProcessError:
       return None

   Server-Side Authentication (Conceptual)

   import sqlite3
   
   def authenticate_device(mac_address):
     conn = sqlite3.connect('your_database.db')
     cursor = conn.cursor()
     cursor.execute('SELECT mac_address FROM allowed_devices WHERE mac_address = ?', (mac_address,))
     result = cursor.fetchone()
     conn.close()
     return result is not None

7. Regular Device Checks: Consider adding a mechanism to periodically check if devices are still active.
   • Update the last_seen timestamp in the database on each successful connection.
   • Implement a process to remove inactive devices from the table after a certain period (e.g., 30 days). This helps maintain a clean and accurate list of allowed devices.