Within the tech security community, Zoom got called out today for a potential security vulnerability for the usage of the Mac...
Using WebRTC for Authentication
Your computer is watching.Chris Koehncke
Building a talking head video chat app with WebRTC is a high school class project. WebRTC has made it that easy. But interesting, it is not.
But video does have great application but it’s more than a morning’s work. Think about anytime someone said “you have to show up in person” to do whatever. It’s perhaps not a daily event, but it’s often annoying. Annoying usually means dollars.
Healthcare is a key focus for WebRTC. Not all medical interactions require probing you. Whether this is a middle of the night call to a pediatrician about a sick child. Or a therapy session with a specialist half way around the world. All are solid applications.
You need something notarized. You have to sign in person. Off you roam searching for a notary. You need to sign a contract or document with a witness, you have to sign in person. God forbid you need a signature guarantee for a financial instrument. Why do you have to go to the driver’s license bureau to have your license renewed?
Large DKB Bank in Germany approved the usage of WebID to open a bank account. Dialog International Consulting is leading the project. A banks first priority is security, so to allow video authentication is a major movement. DKB Bank is using a video WebRTC session to confirm your identity. It’s only for opening a bank account and it still requires a human at the other end to verify this. But it’s a start.
In July 2013, the State of Virginia legalized the notion of an e-notary. This allowed you to have a document virtually notarized from anywhere. Due to the way notary laws work in the US, the acceptance by Virginia meant all other 49 states had to recognize as a legal.
This has resulted in the creation of an entire group of online companies brokering WebRTC connections between you and a notary. This includes companies like notarize.com, notarycam.com
I’m tired of all the SMS messages with unique 6 digit codes I have to enter for many websites (many for no apparent reason than to annoy me). Or carrying around an RSA id trying to type in the number before it changes. This process is called 2-factor authentication (2FA) and is based upon the simple security of something you know (your password) and something you have (your phone). It’s become an entire industry.
Both passwords and 2FA annoy me. I can’t keep up with my passwords and developer’s have some sort of sadistic bent on how complex my passwords needs to be. Fumbling with my mobile phone and hoping to get a text message doesn’t have me using the word elegant. I have an RSA id (both real and virtual) and it’s like looking at a stock market ticker with the numbers constantly changing. This is not the future, this is the past.
God forbid you forget your password. When trying to reset my Skype password, Microsoft need to know what year I created my Skype account. That’s a memory I try to keep fresh. How silly and frankly — stupid. But fraudulent activities are everywhere.
The best is United Airlines. The Frequent Flyer account requires me to have security answers such as “what is my favorite musical instrument?” or “what is your favorite pizza topping?“. For a frequent flyer account? We humans tend to be lazy and the more security, the more we attempt to get around it with password keepers and generic answers (I answer the same to all security questions regardless of the actual question).
Remember the old Captcha boxes, remember how annoying they were? Requiring me to think is always annoying. Google thought this was silly too and reCAPTCHA was born. Click a box with your mouse, there, let the computer figure out if you’re a human.
What Google did was take something complex and make it simple. The same thing needs to happen with authentication.
Image a WebRTC video photo taken when you want to authenticate yourself on a web site. The WebRTC piece is important but it’s child’s play. Capture the photo and securely send it back home.
The real work is back is in the data center. How to process the image and assign a confidence factor that it is in Chris Kranky despite the dim lighting in some far off hotel room. This is AI and big surprise, Google is working on this (perhaps accidently) with their neural network project PlaNet. The project currently tries to identify the geotag location of a photo, but not hard to see how this might work for personal identification.
Microsoft is also hard at work with Project Oxford (check out their face verification). IBM Bluemix with Watson is also chasing this as well.
Identification though is about having a gold master image to start with as a reference. Here again, WebRTC patrols in. Take a WebRTC shot of your driver’s license or passport and start-up confirm.io will tell you how valid it is via a simple REST API call. Security is never absolute, it about assigning a confidence factor.
But it’s not solely about video.
Your voice can also authenticate you. The biggest mutual fund in the US, Vanguard, now allows you to authenticate using a series of voice words as a trigger. While the initial service is PSTN based, it’s a short step to a WebRTC audio session.
If a financial institution can use WebRTC for my most important of security concerns, Domino’s Pizza can back down a bit in their requirements.
Citigroup is testing ATM machines that don’t require you to use an ATM card but instead use a retinal scan. Obviously, they’ve never seen the state of an ATM machine in San Francisco (I scared to touch them much less put my eye on something). But OK. Chase is also testing an ATM machine which authorizes using a mobile app PIN code (2FA to a whole new level). A nice thought, but what if my mobile phone is dead. The financials could embed a WebRTC powered webcam into an ATM to authorize the transaction. Hope I’m not having a bad hair day.
Biometrics are interesting, but user don’t like them. Who wants to use a retina scanner? Who even has a finger printer reader? Can I scan my finger print correctly? The TouchID on the new iPhone works well for the moment, but is this what users really want? Whereas saying a voice phrase or just looking stupid at a webcam, well I can do that.
In short – the back office computing power is here to enable us to authenticate ourselves to appease the most stringent of legal and financial industry concerns. All without a need for passwords, hunting on my mobile for some morse code SMS or trying to remember the name of my first dog. BTW I never had a dog so I always use Fluffy. WebRTC is a small but critical chink in this security chain but a necessary one.