I’m developing a web app for internal file sharing and one of the requirements is to have PIN code protected folders.
What I came up now is a folder like structure with the following:
- Folder without PIN code entry – only Open button which directly forwards to the folder
- Folder with PIN code entry – text field with Verify button which forwards only when the PIN is correct
What I’m not sure is what would be the best practice in the case of the folder with PIN code in terms of PIN verification and forwarding user to the folder. At the moment I have a web service to which I forward PIN, folder ID and user ID, all in cleartext format and I’m waiting for the service response which can either be true or false.
I’m assuming that this isn’t the best practice as the smart but naughty user could loop through all the possible combinations of the PIN code and wait which one will give him true as a response. I have to add that only authenticated users can access folders so in worst case I’d know with whose user the breach was made.
What should I do to improve security and is there something I could do better?