Daily Hackers

Step 2
Step 3

🎓 Graduate Team Declaration: Daily Hackers is competing in the Graduate Track and is submitting for consideration in the Ticketmaster Sponsor Challenge: Secure the Queue.

Inspiration

In November 2022, Taylor Swift's Eras Tour presale became a national crisis. Over 3.5 billion system requests flooded Ticketmaster — the vast majority from bots. Millions of real fans waited hours in virtual queues only to be ejected empty-handed. Senate hearings followed. It dominated news cycles for weeks.

But beyond the headlines, we saw something specific: a systems design failure. The authentication layer wasn't adaptive enough to distinguish fans from bots under extreme load. Traditional CAPTCHAs take an average of 32 seconds to complete, exclude 26% of users with accessibility challenges, and sophisticated bots bypass them anyway. Security that punishes real fans while failing against bots isn't security — it's just friction.

We asked: what if the security layer became invisible to fans and impossible for bots? That question became SentinelQueue.

What it does

SentinelQueue is a privacy-first, AI-powered adaptive authentication engine that protects high-demand ticket onsales without punishing real fans. Instead of applying the same blunt CAPTCHA to every user, SentinelQueue continuously scores user behavior in real time and applies verification friction proportional to actual risk.

The system operates across four layers:

Layer 1 — Behavioral Risk Scoring A lightweight client-side JavaScript module passively observes behavioral signals the moment a user enters the queue — mouse movement entropy, typing cadence, click interval distribution, page dwell time, and device fingerprint stability. These are aggregated into a Risk Score (0–100) using a gradient-boosted ensemble model (XGBoost + LSTM). All raw signal processing happens in the browser — only the derived score is ever transmitted. No raw behavioral data leaves the device.

Layer 2 — Adaptive Step-Up Authentication The risk score drives a tiered, dynamic verification policy:

Risk Score	Tier	User Experience
0–29	✅ Trusted	Zero friction — invisible pass-through
30–59	⚠️ Monitor	Email/SMS OTP (~10 second completion)
60–79	🔶 Elevated	Accessible audio-based behavioral puzzle
80–100	🔴 High Risk	FIDO2 passkey + cryptographic device binding

Friction escalates or de-escalates within a single session as behavior changes — not locked in at entry.

Layer 3 — Fan Trust Score An opt-in, privacy-preserving behavioral baseline built over multiple sessions with explicit user consent. Fans with 3+ verified sessions earn Trusted Fan status and enter a fast-track queue with reduced friction by default. Behavioral vectors are one-way hashed and protected with differential privacy (Gaussian noise injection) — the original signals cannot be reconstructed even if the data store is compromised. Users control their profile entirely through a privacy dashboard and can delete it permanently at any time.

Layer 4 — Explainability Engine When step-up verification triggers, SentinelQueue surfaces a plain-language reason rather than a cryptic error:

"We noticed this device hasn't been used for ticket purchases before. A quick verification keeps your spot secure in the queue."

This transparency builds fan trust, reduces support load, and directly embodies Howard University's motto of Truth and Service — the theme of BisonHacks 2026.

How we built it

SentinelQueue is designed as a stateless, horizontally scalable microservices architecture that integrates with existing ticketing platforms via a lightweight SDK — no modification of the core ticketing system required.

Client-Side SDK — Vanilla JS (~12KB gzipped) collects behavioral signals locally and runs the risk model in-browser. Only the computed score is transmitted.
Risk Engine — Python microservice running an XGBoost + LSTM ensemble, trained entirely on synthetic behavioral data (no real user data required). Targets >92% classification accuracy with <3% false positive rate on real fans.
Policy Engine — Configurable rule-based service mapping risk tiers to challenge types, supporting A/B testing of verification methods.
Fan Trust Service — Manages opt-in behavioral profiles. Vectors are hashed and differentially private before storage.
Auth Orchestrator — Coordinates OTP delivery, FIDO2 passkey assertion, and signed session token issuance.
Explainability Engine — NLP template system generating privacy-safe, human-readable verification reasons based on signal categories, never raw values.
Frontend — React + Tailwind CSS live demo dashboard showing the risk score updating in real time, bot vs. human mode toggle, and the step-up auth flow in action.

The scalability key: the most expensive operation — behavioral analysis — runs in the browser. Each user's device transmits a single integer to the backend rather than thousands of raw signals. Combined with stateless Kubernetes-deployed services, Kafka event-driven decoupling, and pre-loaded Fan Trust Scores at the edge 24 hours before high-demand onsales, SentinelQueue is architected to handle Eras-Tour-scale traffic without degrading the fan experience.

Challenges we ran into

Adversarial robustness was the hardest ML problem. The most dangerous bots add noise to mimic human behavior — slightly erratic mouse paths, randomized click intervals. Distinguishing these from real humans required significant focus in our synthetic training data generation and model architecture.

Privacy vs. personalization required careful cryptographic design. Building a Fan Trust Score that meaningfully reduces friction without storing any identifying information meant combining one-way hashing, differential privacy, and user-controlled encryption keys — all while keeping the system practical to demo in 24 hours.

Accessibility-first verification was a non-negotiable constraint. Removing all visual CAPTCHA dependencies and ensuring every challenge is WCAG 2.1 AA compliant required rethinking what "verification" even means — moving toward behavioral and audio-based alternatives entirely.

Explainability without privacy leakage meant the explanation system had to reference signal categories (e.g., "unusual network activity") rather than raw signal values, while still being specific enough to be genuinely useful and trustworthy to fans.

Accomplishments that we're proud of

Built a live behavioral risk visualizer that updates in real time as a user interacts — judges can watch the score respond to human vs. bot input in real time
Designed a Fan Trust Score system with genuine differential privacy applied at write time — a feature no existing commercial ticketing auth system offers
Achieved an architecture where the core security computation runs entirely client-side, solving both the privacy problem and the scalability problem in a single design decision
Every verification challenge in the system is WCAG 2.1 AA compliant — accessibility was a design pillar, not an afterthought
The system is fully explainable: every verification trigger surfaces a plain-language reason, honoring the BisonHacks theme of Truth and Service in a concrete, functional way

What we learned

Client-side ML inference for security isn't just feasible — it's the right architectural choice when privacy and scalability are both non-negotiable constraints
Differential privacy can be applied practically in a prototype setting without sacrificing meaningful functionality
Designing for accessibility from the ground up produces a better product for all users — removing visual CAPTCHAs improved the experience for everyone, not just users with disabilities
Transparency in security systems is a retention and trust strategy with real business value, not just a UX nicety
Intentional, appropriate use of AI — gradient boosting for explainability and latency reasons rather than LLMs — is more defensible and more effective than bolting on AI for its own sake

What's next for Daily Hackers

Integrate with Ticketmaster's real-time event API for dynamic risk calibration based on live demand signals (queue depth, sale velocity, concurrent session spikes)
Expand Fan Trust Score to support cross-device trust linking with explicit user consent
Deploy the backend Risk Engine with live XGBoost inference and operator-configurable A/B testing of challenge types
Validate audio-based challenge design with real accessibility community partners
Explore federated learning to improve the behavioral model across events without centralizing any user data