There are plenty of reasons, but I have decided to just focus on the top items.
- Mac Addresses are not unique. That is, they may be unique within a manufacturer’s production environment, but devices that have them can also have them overwritten.
- Browsers don’t submit mac addresses in their headers. Sorry, but this is just a fact.
- Only under certain network security layouts can you even come close to getting this to work. IE: IIS server is on the exact same domain as the IE browser.
- Even then, you have to go outside of the sandbox to get the mac address.
- Just because you have a mac address, doesn’t mean you know who the person is that is using that box.
If you think about this, this same list works for not using IP addresses for security.
However, if you are trying to create a generic, no authentication, public page, for your users, I would consider a 3 step security.
- Have your network security, which uses mac addresses, to limit that box to a subset of your network.
- Assign a static IP to client box, then have your unsecured webserver, or the limited exposure network card limit its connections to that IP address.
- Register a certificate to that box’s browsers, and require the certificate to be present before serving the web page.