Wifi provisioning with Security level 2 - confused

cskilbeck · Postby **cskilbeck** » Mon Apr 22, 2024 6:48 pm

When using Security level 2, a QR code is used for provisioning via a mobile app. I'm confused about this comment in the wifi_prov_mgr sample.

Code: Select all

#if CONFIG_EXAMPLE_PROV_SEC2_DEV_MODE
    /* This pop field represents the password that will be used to generate salt and verifier.
     * The field is present here in order to generate the QR code containing password.
     * In production this password field shall not be stored on the device */
    const char *username = EXAMPLE_PROV_SEC2_USERNAME;
    const char *pop = EXAMPLE_PROV_SEC2_PWD;

In particular, the bit which says 'In production this password field shall not be stored on the device'. My question is:

Given that the QR code encodes the username and password in, effectively, plaintext (so it's not a secret), what's the problem with storing it on the device? If there's a sticker on the device with the QR code on it then the username and password are basically 'stored on the device' in a roundabout way already, right?

Or am I just misunderstanding something here?

liaifat85 · Postby **liaifat85** » Tue Apr 23, 2024 6:50 am

A more secure approach would involve securely transmitting the credentials during the provisioning process without storing them persistently on the device.

cskilbeck · Postby **cskilbeck** » Tue Apr 23, 2024 7:32 am

But the QR code is generated using those values...?

Wifi provisioning with Security level 2 - confused

Wifi provisioning with Security level 2 - confused

Re: Wifi provisioning with Security level 2 - confused

Re: Wifi provisioning with Security level 2 - confused

Who is online

About Us

Extra

Information