Talk at ToorCamp: Visual Authorization Goes Digital

I'm giving an Ignite talk at ToorCamp on Friday August 10th.

Abstract

Analog visual authorization is an extremely effective and widely used method for allowing access to resources. Many paper or physical systems work by visual inspection: Transit tickets, driver's license, amusement park bracelets, event invitations, movie tickets, corporate ID badges, and paper money all generally operate by visual inspection.

Visually inspectable authorization is where an authority can visually and tactilely inspect a token and determine with acceptable confidence that its is authorized to access a resource or perform some action. For example, a movie-goer (bearer) can use a ticket (token) by handing it to a movie theater employee (authority) in order to get access to a movie (resource).

Several attempts have been made to apply visual authorization to digital tokens through the use of smart phones. However, digitizing visual authorization introduces new vulnerabilities and the systems that we have examined are each vulnerable to new attacks that are much worse than the types of attacks that physical systems are vulnerable to.

I argue that these vulnerabilities are inherent to the digital medium and that they cannot be completely solved with current techniques. However, there are mitigations that developers can put in place to make forgery of tickets difficult enough to fall into an acceptable threshold.

In this talk, I will present the properties that a physical or digital visual authorization system should have to be secure, discuss the challenges to getting that security in a digital system, demonstrate those vulnerabilities in currently visual authorization systems, and present a set of proposed solutions.