I’m trying the use of web services, managed through a Xojo webapp, created according to the Xojo Inc. guidelines. (user guide, blog, examples, forum, etc).
I’m authorizing the client access, through a code in the header.
Since the client may be hacked, is it possible (and how) to improve access security, using OTP or other methods?
I’m sure you could use a one-time password or whatever technique you want (perhaps an API Key?), but you’d have to implement it yourself. There are no “standards” for web security.
If you just use a code in the header then you will need an ssl connection or dedicated VPN for your app to stop man-in-the-middle attacks. But SSL is slow and dedicated VPN extra setup and maintenance work. To avoid these overheads, you can use Xojo public/private key encryption to avoid transmitting the access token in the clear, yet without ssl or dedicated vpn.