BioAuth - Biometric 2-Factor Security with MongoDB - Dead Simple
BioAuth uses a combination of facial and vocal recognition to authenticate users quickly and seamlessly on all the web apps that they love.
Our goal is to focus on utilizing biometrics to not only make user authentication technically more secure, but also faster and seamless from a social and psychological perspective. A lot of malicious hacking is done through social flaws, and we want to address that by making a product that makes the client's experience as easy as possible without letting go of security. Users of BioAuth can login without touching a keypad, and without having to memorize a password.
Ever need to use your mom or dad's credit card?
We allow super-friendly sharing of links that utilizes long-polling techniques to fill out forms across networks.
- Generate a BioAuth link.
- Send it to your friend or parent!
- Watch as you get auth'd into your service. (All securely)
Demo : Sharing
Demo : Failing
On entering a non-signed in website, we immediately draw up a small pop up window that utilizes the webcam. Immediately afterwards, we use the mic to validate users with this two factor authentication method under 5 seconds. This process is superbly fast and very comparable to the time it takes to type in one's password.
Two ways to use BioAuth
Use Case One
Alice logs into many accounts through her browser everyday, and has ended up using password managers such as LastPass and OnePass because she can no longer memorize all her passwords. She starts using BioAuth, and after a quick initial registration process, she now glances at her webcam and says a short phrase that appears on her screen to sign into all her accounts. No more having to worry about how many capitalized vs. numbers vs. special characters she had in a specific password.
Use Case Two
Alice's father, Bob, needs to take care of some bills but can't get to his credit card account as he is currently in a foreign country where many websites are blocked (actually happened to me - Kevin). Alice has the BioAuth extension on her browser and goes to log onto Bob's credit card account to help him pay the bills. She can't log in directly but can send Bob a link which will authenticate Bob through facial and voice recognition. Alice calls Bob and tells him she sent him an authentication link and after Bob is authenticated, she gains access to his account. Bob seamlessly managed to get his bills paid without having to change his password or disclose a password he uses for many of his other accounts.
MONGODB - DATABASE IMPLEMENTATION
With BioAuth, we had two main goals with respect to MongoDB:
- Make sure I/O operations were as fast as possible
- Keep footprint of app super small.
Thus we used the following MongoDB strategies to achieve super fast reads and writes:
- First, we opted for MongoDB's WiredTiger storage engine over the default MMAP engine. This is because writes are 7x-10x faster on WiredTiger and WiredTiger stays small.
- We then utilized the zlib block compressing algorithm in order to keep our footprint as small as possible. Zlib can keep 600MB of MMAPv1 data under 150MB with its compresion, thus achieving our goal of keeping the app small.
- We indexed on collections that had frequent reads and writes from in order to maximize read/write speeds.
- We utilized a range-based sharding approach on our collection for passwords on the central server in order to keep the process as fast as possible and scalable across many users.
SECURITY CONSIDERATIONS & ELABORATIONS
In order to gain a highly-secure platform we followed a couple main rules:
- Unencrypted passwords shall never leave local computer.
- All encryption occurs on the client's computer.
- Salted & Hashed
- Multi-factor Authentication!
TECHNICAL STACK & TECHNIQUES
- WebSockets & Longpolling
- NodeJS (Packaged)
- WebGL & THREE.js
- Microsoft Azure VM
- Microsoft Azure Blob Storage
- MongoDB for Database
- Microsoft's Project Oxford for Facial Recognition
- VoiceIt for Voice Recognition
- Microsoft Azure - Hosting
- Microsoft Azure Containers & Blobs
HACKS & CHALLENGES
We had to utilize a ton of hacks to make this possible:
- Chrome Extensions don't have access to local file system but we have to have a .wav file written in order to process for voice recognition.
- Chrome Extensions cannot utilize a server -- we had to find a workaround that packaged the Node.JS features that we needed into one extension.