Can MAC Address be used to securely authenticate?

dwyl / learn-security

:closed_lock_with_key: For most technology projects Security is an "after thought", it does not have to be that way; let's be proactive!

67 stars 10 forks source link

Can MAC Address be used to securely authenticate? #48

Closed nelsonic closed 5 years ago

nelsonic commented 5 years ago

We are trying to think of a user-friendly way of authenticating a person on a network based on a device they have. Someone suggested using the MAC address of the device as a "unique identifier". https://en.wikipedia.org/wiki/MAC_address

They are meant to be unique. But does that mean they aren't spoofable?

Apparently not:

Change MAC on Android: https://www.droidviews.com/change-mac-address-android-devices/
Clone MAC: https://networkengineering.stackexchange.com/questions/19470/mac-address-cloning-why-and-when-is-it-required

cavemanr commented 5 years ago

I think the only secure way to authenticate an device is to use more than one identifier. Maybe you can use the MAC Address and port location or something else.

nelsonic commented 5 years ago

@cavemanr great point! We agree! Multi-factor auth is essential. the way we are thinking of doing it is:

register the MAC address of the mobile device on the network when the person joins.
require them to input a valid email address to use the network.
receive a One Time Password (OTP link) via email which when clicked will authenticate them.
Only TCP 25 and access to specific email service providers is allowed until they have authenticated; all other network access is blocked.
When they authenticate, they gain access to "the rest" of the internet. (or in our case physical access to the building ...)