Jump to content

Offline app with 2FA


Recommended Posts


First lets make one thing clear, if its offline and is a useful software, there ARE going to be cracked versions of it anyway no matter what you do. There are great many examples of crackers which can patch almost all versions of offline softwares. However some ways I can suggest you.

- Do not copy/reuse any code (especially authentication part) from other softwares, this will make you more vulnerable.
- Use custom seeders, so that your software cannot be easily reverse engineered.
- 2FA isn't going to help you for offline apps. So it is almost useless doing that.
- Plus and most importantly, try releasing free versions of your software with most features, only reserve some extraordinary features for the commercial version (make sure the free version is more protected and more structurally authenticated and looked after better). People tend to crack your software less when you already have most features in your free versions.

I'm gathering information of how to authenticate offline system. My first intentions was to implement 2FA usb key, but what I have gathered it seems that the best way to authenticate user is by hardware fingerprinting. But I want to know how 2FA usb key can be bypassed and why it's secure.

Link to comment
Share on other sites

Your original question was about licencing your software, 2FA is about authenticating users, they are two different things.

Anything you do that is purely client side can be cracked, whether it is a basic password, USB token, 2FA codes (which are just passwords if you think about it), anything. They are cracked either by modifying the software and disabling the check or by working out how codes are generated and creating a code generator. If your 2FA codes are just MD5 of the current timestamp then I can create an app to generate a code whenever I want to.

My suggestion for fingerprinting for licencing is just as vulnerable as a USB token except it requires one less USB port and can't get lost in a desk drawer or pinched by your kids to play with.

- Do not copy/reuse any code (especially authentication part) from other softwares, this will make you more vulnerable.

I'd disagree with this, find a project which is specifically written to do whatever you want and use that. No offence meant, but it doesn't sound like you are an expert in this area and so trying to roll your own authentication or licencing is probably going to end badly. It might not get hacked as no one might care, but the code probably won't be the best.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...