SayKey

A 2FA for safe human to human interaction, both online and IRL. Generate and sync secure authentication codes with your connections in real-time.

Comment

Inspiration

SayKey was born out of a vision to make secure authentication accessible and simple for everyone. The project began during the Bolt.ai Hackathon, where the team identified a need for a more intuitive and secure way to share access credentials. The core inspiration is to help users verify who they are talking to, providing a "2FA for humans" to combat issues like deep fakes, voice cloning, and identity theft.

What it does

SayKey provides a secure platform for generating and synchronizing Time-based One-Time Passwords (TOTP) between trusted individuals. It allows users to create and manage multiple authentication connections, each with a unique secret key. These keys enable real-time code generation, ensuring that both parties see the same authentication code, which updates every 30 seconds. This functionality aims to provide a reliable method for verifying identity in personal and team communications.

How we built it

SayKey is built as a modern web application using:

Frontend: React with Vite for a fast development experience, styled with Tailwind CSS for a utility-first approach, and utilizing Lucide React for icons. React Router DOM handles client-side navigation. Backend & Database: Supabase serves as the backend, providing PostgreSQL for the database, Supabase Auth for user authentication and management, and Supabase Edge Functions for server-side logic, particularly for Stripe integration and account deletion. Authentication Logic: TOTP codes are generated client-side using crypto.getRandomValues for secure random secret generation and HMAC-SHA1 for the TOTP algorithm, following RFC 6238 standards. Payment & Subscriptions: Stripe is integrated for managing subscription plans (Basic and Pro). Client-side interactions trigger Supabase Edge Functions to handle secure checkout sessions, subscription cancellations, and account deletion, ensuring sensitive operations are processed server-side.

Challenges we ran into

During development and a subsequent security audit, several challenges and vulnerabilities were identified:

Authentication Bypass in Account Deletion: The initial implementation of account deletion used an admin API from client-side code, posing a security risk and leading to broken functionality. Insecure Secret Generation: While crypto.getRandomValues() was used, there were concerns about insufficient entropy for TOTP secrets, potentially making them predictable. Client-Side Subscription Management: Critical subscription status checks and plan enforcement were initially handled client-side, making them vulnerable to bypass. Missing Input Validation: Insufficient validation of user inputs, particularly for connection secrets, could lead to application errors or security issues. Insufficient Error Handling: Generic error messages in authentication functions could lead to information disclosure and a poor user experience. Missing Rate Limiting: A lack of rate limiting on API endpoints made the application vulnerable to brute-force attacks and Denial of Service (DoS). Insecure Session Management: Absence of explicit session timeouts or refresh token rotation increased session exposure risk. Missing CSRF Protection: The application lacked CSRF tokens or SameSite cookie attributes, making it susceptible to Cross-Site Request Forgery attacks.

Accomplishments that we're proud of

Successful Hackathon Project: SayKey was developed during the Bolt.ai Hackathon, demonstrating rapid prototyping and innovative problem-solving. Core Secure Functionality: Successfully implemented secure TOTP generation and real-time synchronization, providing a unique solution for identity verification. Robust Stripe Integration: Achieved proper implementation of Stripe webhooks, secure payment processing, and subscription management, handling sensitive financial operations effectively. Comprehensive Security Measures: Implemented encryption in transit (TLS 1.3) and at rest (AES-256), strong password requirements, and adherence to industry standards like RFC 6238 for TOTP. User-Centric Design: Developed an intuitive and easy-to-use interface for managing connections and generating codes, making complex security simple for users. Compliance Focus: Demonstrated commitment to compliance standards like GDPR, SOC 2 Type II, and ISO 27001, ensuring data protection and privacy.

What we learned

The development and auditing process highlighted several key learnings:

The critical importance of server-side validation for all business logic, especially for sensitive operations like subscription enforcement and account deletion, to prevent client-side bypasses. The necessity of implementing comprehensive security practices from the outset, including rate limiting, CSRF protection, and detailed, non-revealing error handling. The value of regular security audits and continuous monitoring to identify and address vulnerabilities proactively. Best practices for secure secret generation and management, emphasizing sufficient entropy and proper validation. The significance of robust session management to mitigate risks associated with extended session exposure.

What's next for SayKey

Built With

Share this project:

Updates