I am in the process of developing web API(ASP.net) for a mobile app. The app wants to do authentication based on mobile number. My idea is
- The user registers using his mobile number (An API will be called)
- On registration the user will be sent an OTP.
- Once the user confirms the OTP I will validate it with server.
- If the OTP is correct I will send an HMAC key to the mobile user.
- This HMAC key will be specific to that user only.
- For accessing the web API the mobile APP will generate a signature using mobile number, HMAC key and timestamp.
Now, my concern is that there is web based Admin panel as well which uses same web APIs, how would i do authentication for it? To use Admin panel the user has username and password. I am looking for common authentication process. Please advise what will be the best way to keep authentication common and is my approach correct.