I create authentication in the client-server application, and part of the feedback I received is that I have to leave a hash calculation for the server (it was originally implemented so that the client receives the hash, computes the hash from the client, the password is entered and compare them). This seems to make sense, but I still have a problem - how can I authenticate users who are offline ?
For example, if I deploy to a mobile device without Internet access, what is the safest way to authenticate?
As I see it, I need to allow the client to receive the hash + any information about the salt , OR to use a separate contact / password and allow the client to get the hash + salt for this password.
I would prefer the latter, because it seems to limit the attack vector - if the mobile device is compromised, then the security of the entire system (for example, all authenticated objects) remains unchanged.
What are my best options and considerations?
source
share