To clarify, this is not a "question post". I'm simply explaining the process i took to implement security into my software and am open to user input. This is also not self promotion.

As a rough overview, here's how the typical auth flow goes for my software:

1. User executes protected software

2. Software sends a GET request to my server with the user's hardware ID

3. The server checks if a hash of the HWID and IP is matched to a user object in the database

4. If it is, return the user object

5. If it's not, return a 401 to the software and the software opens the users default browser to a sign-in page with their HWID as part of the URL. The software also exits at this point.

6. The user signs in online and the server maps the HWID in the URL to the newly signed in user

7. The user can now run the software uninterrupted until his HWID or IP changes

Some key points:

• Every response that the server returns to the client is ECDSA encrypted with a private key, and is decrypted on the client side using a public key which is only decrypted in memory

• Every response has a timestamp check to prevent re-using responses. To make spoofing system time a little harder, i also cross check with NTP time.

• Only the initial request passes the HWID to the server. This is because the server returns a session key which gives API access for 24hrs on behalf of the authed client. This session key is locked to the IP of when it was first created.

All of the client side security is done through a Rust SDK which I keep open source. (linked)

Any encryption or obfuscation would be the responsibility of the software that uses my SDK.

Please let me know if there's any further client or server side security measures that i can take.