What is a good approach for credential checks for windows mobile app. Knowing that it is an occasionally connected device.
Should I keep the user credential into the local database? If the credential doesn’t exist in the db, try to see if it has internet access and do the check through a web service?
If both fails then display an error message ?
If logins is successful then store the credential to the local database store then upon next login go against the database first?
Is this a good approach?
I have a similar situation in mobile software we use, we use the following approach:
It will store the last used username and a hash of the password locally.
password and compare it with the local one. If they match, the user
is logged in without the need of an internet connection. If it fails the
user gets two more attemps, at which point the software asks to verify
the credentials through the master server.
an internet connection to verify. And if it succeeds, it will follow
step one again.
Obviously, you need to be aware of the fact that this approach is vulnerable to a brute force attack. There is no way you can prevent a hacker from doing a lot of attemps. You can only try to slow them down (using a slow hashing algorithm and other nags). If you are really worried about such attacks; using a connected login verification method is your only way to go.
There are other things to consider by the way. Is the device connected frequently or really infrequently? Do a lot of different users login on the device while a connection is not available? Answers to such questions could lead you to a single login implementation.