PWA stored username and password in IndexDB - rest

I have 1 requirement of PWA to enable user to login offline. What Software Architect propose is create a GET REST API to disclose all the username and hash password. And if online, PWA will call the GET API and store all username and hash password in IndexDB. In order user able to login offline in future. Is it make sense to store username and hash password in IndexDB?
I personally feel inappropriate to store application username and password offline.

Related

How to get a unique key from firebase auth to use as a password alternative for data encryption

I created a password manager in flutter, which stores password encrypted passwords in an db. I access this db via the backend, which is written in python. As a user in the app, you are able to set a master password, which after each login is passed to the backend, to encrypt the data. I now want to add sign in with google functionality (firebase authentication), so that you don't need to type in your master password every time. Is it possible to receive something like a key or a token from firebase after each successful google-login which you can use instead of the master password?
I noticed already that there is this uid in the firebase user class (which i receive from FirebaseAuth.instance.signInWithCredencial(google_sign_in_credencial) in the google registration progress) which is unique for every user, but i dont think that this is secure enough to replace this sensitive master password. I also heard from JWT Authorization, but i am not sure, if it's the right thing for that.

How to make server know what data to send depending on fingerprint flutter?

I want to replace the login to the app from username and password to fingerprint in flutter, so the user when have successful fingerprint he will see his information in the application (this information send from server).
How I can manage that I want some thing to make this fingerprint connected with this user to get correct data from server ?.
I use local_auth for fingerprint authentication but I have no idea to tell server this fingerprint is associated for this user.
I read some thing like this to handle this:
when application installed for first time ask the user to enter (username and password) then save them is shared preference. (this page will appear only once).
after that show screen that ask the user to login using fingerprint if it exist or ask him to create one if not exist.
each time the user run the application only fingerprint is required if authenticated then get data from server by sending userId saved in shared preference to get data.
is there is any way better this way ?
Fingerprint is a User biometric data located in a secure place in the User phone. You cannot access these binary data. To send user data to your server, you must prompt them to manually enter their info. You can then protect their privacy in your app by protecting the app usage by Fingerprint or any other method you want

Verify Password in offline Xamarin Forms application

We have a Xamarin Forms application that works both connected and offline. The application connects to an API in our MVC Web application. This application uses Microsoft.AspNetCore.Authentication and the passwords are hashed in the User table. In connected mode, we call the API and get a jwt token back with no problems. For offline mode, we clone the user table in a local SQLite database. The question is, how do we verify the password against the local hashed password in offline mode when a user is logging in?
Thanks.
take user password and do hash and then compare those hash value
ref :
https://support.microsoft.com/en-in/help/307020/how-to-compute-and-compare-hash-values-by-using-visual-c

Storing passwords on server

I want to do the following
User signs up to IOS app and provides username and password
Make a server call and store password in server database
When user logs in in the future, retrieve that password and check against the password that the user entered.
How can I do this in the most secure way possible? I was thinking of encrypting the password when storing in the db. When the user logsin, use the same encryption algorithm and compare against the db encrypted password.
NEVER ever store user credentials in encrypted (reversible) form. Currently best known way for checking user credentials is slow salted hash
for what and why please read https://nakedsecurity.sophos.com/2013/11/20/serious-security-how-to-store-your-users-passwords-safely/
However, don’t try to invent your own algorithm for repeated hashing.
Choose one of these three well-known ones: PBKDF2, bcrypt or scrypt.
As already commented you may outsource the user authentication to some reliable service (google, fb, aws cognito, ibm appid,...)
Have you tried looking into databases? I know that Firebase has an authentication component of their database for ios development, and you might want to try to look into it or other databases. Check out firebase at: https://firebase.google.com/

How do you ensure that applications using your domain credentials for login don't store your password?

There are several applications that use your domain credentials for login. Eg: Custom Corporate apps. How do you ensure that such applications don't store your password?
The reason I am asking this is: If you are designing an app which does the same thing, how do you convince the user that your app can be trusted not to store the password?
If you really want the user to be sure your app is not keeping their password, don't use their password.
Microsoft Active Directory Domain Logon uses Kerberos. Kerberos is an SSO solution; an application may make use of a user's Kerberos credentials without requiring that the user enter their password a second time. The credentials obtained by the application may only be valid for as long as the user's Kerberos ticket - probably at most a week.
If you have a web application, it too may take part in the warm goodness via SPNEGO. You may have seen this in the form of Sharepoint sites that don't require a login if you are on the company domain.
If you have used standard AD-based Windows authentication they shouldn't have your password but they could certainly perform actions using your user context.
If you provide a username/password to login using standard Windows authentication then there is no way for you to be sure they haven't saved that.
If Windows auth issued login tokens that expired this might be a different story, but I do not believe that is how it works and certainly would still be useless with the second case.