Should device IDs be kept private

Is there any problem with using particle device IDs as identifiers that could potentially be sent to other users, or would having a device’s ID (without other credentials) potentially allow access to unexpected device management features?

The answer is that it depends. As a general rule, we recommend keeping the device IDs private, just to be safe. But it’s not really a secret.

Having the Device ID by itself doesn’t grant you access to anything. However, because the device ID space is large (a 96-bit number), it’s not typically enumerable. You can’t just try every Device ID because there are too many of them. This makes any attack more difficult, because the more things you have to guess, the harder it is to guess.

But since all of the APIs are protected by an authorization token, not by the obscurity of the Device ID, there isn’t really anything that’s actually unsafe if Device IDs are not kept secret.

This topic was automatically closed 182 days after the last reply. New replies are no longer allowed.