Wifi provisioning with Security level 2 - confused

cskilbeck
Posts: 11
Joined: Tue Dec 10, 2019 10:40 pm

Wifi provisioning with Security level 2 - confused

Postby cskilbeck » Mon Apr 22, 2024 6:48 pm

When using Security level 2, a QR code is used for provisioning via a mobile app. I'm confused about this comment in the wifi_prov_mgr sample.

Code: Select all

#if CONFIG_EXAMPLE_PROV_SEC2_DEV_MODE
    /* This pop field represents the password that will be used to generate salt and verifier.
     * The field is present here in order to generate the QR code containing password.
     * In production this password field shall not be stored on the device */
    const char *username = EXAMPLE_PROV_SEC2_USERNAME;
    const char *pop = EXAMPLE_PROV_SEC2_PWD;
In particular, the bit which says 'In production this password field shall not be stored on the device'. My question is:

Given that the QR code encodes the username and password in, effectively, plaintext (so it's not a secret), what's the problem with storing it on the device? If there's a sticker on the device with the QR code on it then the username and password are basically 'stored on the device' in a roundabout way already, right?

Or am I just misunderstanding something here?

liaifat85
Posts: 200
Joined: Wed Dec 06, 2023 2:46 pm

Re: Wifi provisioning with Security level 2 - confused

Postby liaifat85 » Tue Apr 23, 2024 6:50 am

A more secure approach would involve securely transmitting the credentials during the provisioning process without storing them persistently on the device.

cskilbeck
Posts: 11
Joined: Tue Dec 10, 2019 10:40 pm

Re: Wifi provisioning with Security level 2 - confused

Postby cskilbeck » Tue Apr 23, 2024 7:32 am

But the QR code is generated using those values...?

Who is online

Users browsing this forum: Google [Bot] and 224 guests