Is using a flash drive as a base for security a safe thing to do?
No, your solution isn't safe, no there is no ID associated with flash drives, and yes, there is a better way to do this.
There are several hardware crypto-token devices in the same form-factor as flash drives that you can use for this purpose.
The first that comes to mind is the Yubikey. This device is generally pretty easy to integrate into existing authentication frameworks, as well as building on popular standards such as OAUTH.
Devices in this category (including this one) generally have the following features:
- tamper-resistant
- non-copyable
- able to utilize public-key crypto with an undisclosed private key
- able to behave as a USB keyboard to interface with legacy applications (i.e. outputting a secure password)
I have not implemented a solution like this, so take it with a grain of salt, but what would happen if you SMS-texted a one-time password to the teacher when they login for a pseudo-2-factor implementation?
This way, you aren't introducing new hardware (not even a USB stick), it's totally software-based, and makes sure that you can uniquely identify the user.
It could also mean that you don't have to leave your USB ports open ...
Requiring a flash drive in addition to a password could provide more security. Your method doesn't seem particularly sensible - flash drive with "salted hash" that is used for authentication. A student could find the flash drive (or software), reverse engineer it, modify the salted hash to work with a password they know on the flash drive. Or if you have the password on a remote server + the flash drive (and the application requires that the same password works for both), they could just take the salted password and just apply their gpu to try and brute force it; making it much easier than repeated login attempts on a remote server. Some teacher at some point will leave their flash drive out, and a student will steal it and copy it at some point.
A slightly better implementation of your idea, would be require a public key-private key authentication with the private key on the flash drive being encrypted with a strong passphrase.
Also from user experience perspective, having to have a flash drive may be very inconvenient (e.g., lose the drive, forget it in a computer, attach it to their keychain and leave their keychain in a computer, etc.).
Or you could just use two-factor authentication. Before each login, the teacher gets a text message to their cell phone with a one-time password, then types it in, and only then the teacher can type in their full password to fully login. (This solution may get teacher resistance if they aren't familiar with text messaging or have a unlimited text messaging plan).
As an aside, I'd be very hesitent of allowing students to be able to access the computer and/or reboot it. The hard drive should be encrypted. (Data on an unencrypted drive can be easily stolen; say booting into a linux live cd/usb; or taking out the hard drive; mounting it as an external drive in their computer). The teacher should be wary of student's intercepting their passwords/passphrases by hardware keylogger (insert between USB keyboard and computer).
Furthermore, I'd recommend putting some sanity checks that could be put into a teacher's tools. List last login time and actions of the teacher on every login (and have a very trackable audit log). Most of the time, grade books are write grades once and never change; or only changed the day the quiz/exam was handed back to students. Have all grading changes be clearly timestamped, version controlled and stand out (e.g., changes appear in bright red) so you can easily see if there is a pattern of students grades increasing that the teacher doesn't recall. Have off-site backups. Maybe install webcams and snap a picture of the teacher on each login and have the photo next to the audit log and shown every time you attempt to type a password (so even if the webcam was blocked when a student found their way in; something appears odd when the photo is of a hand rather than a teacher).