Authentication - LET MEEE INNNN

Here are some possibilities of authentication mechanisms that I could implement:

Password authentication

The venerable password authentication scheme. The only issue I see here is having control of the password.
As the passwords will all be the same, once the password is compromised - all accounts will be compromised

Device identification

We could generate a unique ID for each device; that once added to a connection whitelist - will grant unlimited future access.
I would have to somehow check that the device ID hasn’t been emulated.

One-time password

As an additional layer of security, we could implement a one-time password.
Probably not ideal, but it could also be used as the first level of security, and not have a passsword (probably a bad idea).

Some node libraries are available:

• speakeasy
• otplib

Authy is a company that offers 2FA OTP service.
They have these “Authy tokens” which are bound to your phone number.
Perhaps this would be useful to register the 2FA secrets of RAT hosts.

• https://www.npmjs.com/package/authy
• https://www.twilio.com/verify

There are a few tutorials to set up 2FA OTP:

• https://www.thepolyglotdeveloper.com/2019/03/two-factor-authentication-totp-using-nodejs-speakeasy/
• https://www.thepolyglotdeveloper.com/2017/05/implement-2fa-time-based-one-time-passwords-node-js-api/

I’ll probably use the usual password + 2FA OTP mechanism for authentication.
Once the authentication is successful, I could use JSON Web Tokens for passing auth state.

On deciding which 2FA OTP library to use, I’m going to use otplib over speakeasy as it seems to still be under active development.