akcoder your setup is very cool. Security is never too much
On my company, we chose not to have authentication because we use NBI on a very simple way. Instead, 7557 input is closed for everyone, so no one excepts the own machine has full access to it. Then, I wrote a little daemon on the same machine that pulls “tasks” from our private API.
What is cool about our implementation, is that even if someone hacks a priveleged server, like our private API, they won’t have full control over all CPE devices because they can only fire specific tasks and query for specific parameters. And that’s a big part of it.
Not only GenieACS does not have authentication, but doesn’t have any kind of ACL. So this is a very primitive way for us to limit not only WHO can make changes on CPEs but also WHAT KIND of changes they are alllowed to do.
Always be paranoid when it comes to security.