BioAuth - Biometric 2-Factor Security with MongoDB - Dead Simple

MongoDB + BioAuth

QUICK OVERVIEW

BioAuth uses a combination of facial and vocal recognition to authenticate users quickly and seamlessly on all the web apps that they love.

Our goal is to focus on utilizing biometrics to not only make user authentication technically more secure, but also faster and seamless from a social and psychological perspective. A lot of malicious hacking is done through social flaws, and we want to address that by making a product that makes the client's experience as easy as possible without letting go of security. Users of BioAuth can login without touching a keypad, and without having to memorize a password.

Ever need to use your mom or dad's credit card?

We allow super-friendly sharing of links that utilizes long-polling techniques to fill out forms across networks.

Generate a BioAuth link.
Send it to your friend or parent!
Watch as you get auth'd into your service. (All securely)

Demo : Sharing

Sharing Demo

Demo : Failing

Failures

On entering a non-signed in website, we immediately draw up a small pop up window that utilizes the webcam. Immediately afterwards, we use the mic to validate users with this two factor authentication method under 5 seconds. This process is superbly fast and very comparable to the time it takes to type in one's password.

Two ways to use BioAuth

Use Case One

Alice logs into many accounts through her browser everyday, and has ended up using password managers such as LastPass and OnePass because she can no longer memorize all her passwords. She starts using BioAuth, and after a quick initial registration process, she now glances at her webcam and says a short phrase that appears on her screen to sign into all her accounts. No more having to worry about how many capitalized vs. numbers vs. special characters she had in a specific password.

Use Case Two

Alice's father, Bob, needs to take care of some bills but can't get to his credit card account as he is currently in a foreign country where many websites are blocked (actually happened to me - Kevin). Alice has the BioAuth extension on her browser and goes to log onto Bob's credit card account to help him pay the bills. She can't log in directly but can send Bob a link which will authenticate Bob through facial and voice recognition. Alice calls Bob and tells him she sent him an authentication link and after Bob is authenticated, she gains access to his account. Bob seamlessly managed to get his bills paid without having to change his password or disclose a password he uses for many of his other accounts.

MongoDB

MONGODB - DATABASE IMPLEMENTATION

With BioAuth, we had two main goals with respect to MongoDB:

Make sure I/O operations were as fast as possible
Keep footprint of app super small.

Thus we used the following MongoDB strategies to achieve super fast reads and writes:

First, we opted for MongoDB's WiredTiger storage engine over the default MMAP engine. This is because writes are 7x-10x faster on WiredTiger and WiredTiger stays small.
We then utilized the zlib block compressing algorithm in order to keep our footprint as small as possible. Zlib can keep 600MB of MMAPv1 data under 150MB with its compresion, thus achieving our goal of keeping the app small.
We indexed on collections that had frequent reads and writes from in order to maximize read/write speeds.
We utilized a range-based sharding approach on our collection for passwords on the central server in order to keep the process as fast as possible and scalable across many users.

Logo

SECURITY CONSIDERATIONS & ELABORATIONS

In order to gain a highly-secure platform we followed a couple main rules:

Unencrypted passwords shall never leave local computer.
All encryption occurs on the client's computer.
Salted & Hashed
Multi-factor Authentication!

TECHNICAL STACK & TECHNIQUES

Chrome Extension

WebSockets & Longpolling
ExpressJS
NodeJS (Packaged)
WebGL & THREE.js
WebRTC

SERVER SIDE

Microsoft Azure VM
Microsoft Azure Blob Storage
CentOS
CloudFlare
Pop.CO

APIs

MongoDB for Database
Microsoft's Project Oxford for Facial Recognition
VoiceIt for Voice Recognition
Microsoft Azure - Hosting
Microsoft Azure Containers & Blobs

HACKS & CHALLENGES

We had to utilize a ton of hacks to make this possible:

Chrome Extensions don't have access to local file system but we have to have a .wav file written in order to process for voice recognition.
Chrome Extensions cannot utilize a server -- we had to find a workaround that packaged the Node.JS features that we needed into one extension.
As a team we struggled with different skillsets and varying levels of fluency with Javascript. We worked through it together by implementing a Trello Board and evaluating strengths and weaknesses 10 hours into the hackathon. After that point, things started to really take off.

Built With

Submitted to

MHacks 6
- Winner Best Security Hack, Sponsored by Walmart
- Winner Best Use of MongoDB!
- Winner Best Team Collaboration on a Project, Sponsored by American Express

Created by

I built the MongoDB instances, set up the authentication server. Also worked on the voice recognition API.

Stephen Huh
R&B junkie
I wrote the chrome extension, along with writing the realtime-sync backend. I've also hooked up the Microsoft's Project Oxford facial recognition API.

Il Jae Lee
I spearheaded the creation of the remote bio-auth capability, and helped with the client facing interface.

Kevin Zen