Wifi provisioning with Security level 2 - confused
Posted: Mon Apr 22, 2024 6:48 pm
When using Security level 2, a QR code is used for provisioning via a mobile app. I'm confused about this comment in the wifi_prov_mgr sample.
In particular, the bit which says 'In production this password field shall not be stored on the device'. My question is:
Given that the QR code encodes the username and password in, effectively, plaintext (so it's not a secret), what's the problem with storing it on the device? If there's a sticker on the device with the QR code on it then the username and password are basically 'stored on the device' in a roundabout way already, right?
Or am I just misunderstanding something here?
Code: Select all
#if CONFIG_EXAMPLE_PROV_SEC2_DEV_MODE
/* This pop field represents the password that will be used to generate salt and verifier.
* The field is present here in order to generate the QR code containing password.
* In production this password field shall not be stored on the device */
const char *username = EXAMPLE_PROV_SEC2_USERNAME;
const char *pop = EXAMPLE_PROV_SEC2_PWD;
Given that the QR code encodes the username and password in, effectively, plaintext (so it's not a secret), what's the problem with storing it on the device? If there's a sticker on the device with the QR code on it then the username and password are basically 'stored on the device' in a roundabout way already, right?
Or am I just misunderstanding something here?