Project - Glasswords
The general idea of the project was to use Google Glass to seamlessly authenticate a user by leveraging multi-factor authentication. Essentially, Glasswords lets users store encrypted passwords from web logins on the Glass device. When the user returns to the login page a QR code would appear, a push notification wakes up the Glass to take a picture and extract the id from the QR code and if it matched what the backend expected, would send the encrypted password to the clients browser for automatic login. This provides the user with hands-free login.
I created the Glasswords project during my summer internship at Toopher, Inc. in Austin Texas. Toopher created a great multi-factor authentication experience and were looking for related multi-factor authentication projects that used a new platform for demo purposes (for which we chose Google Glass).
As an aside about Toopher, The team there was an incredible bunch of people that gave me a great amount of freedom on this project and would simply require that I was "learning as much as I could".
** Source code for this project is private but I can supply read access to any interested parties per request.
How it Works
The system is divided into 3 parts: the chrome extension frontend that monitors pages for authentication potential and augments logins with a QR code, the Google Glass application running as the user wears the glasses, and the backend that mediates communication.
Glasswords supports 2 primary authentication features: Standard multi-factor authentication and OTP authentication. In order for Glasswords to work for either feature a user must first pair with a Google Glass device.
The user enters the admin panel and selects "Pair" and a randomly generated QR code displays.
The user opens the Glasswords Glass application and selects "Pair Device" while viewing the displayed QR code.
A picture is taken, processed, sent to the backend, and verified with the supplied QR code contents.
If there is a match in the pending pairing request, the device sends a secret key to the Glass device.
Glasswords is now paired with the Glass device.
The User navigates to a login page and the Glasswords Chrome Extension detects the login fields and annotates them with a Toopher logo indicating Glasswords is available.
The user can click in the upper right corner of her browser to indicate that she would like to save this password with Glasswords.
The user then fills in the form and clicks submit/login.
The encrypted login information is sent to the Glasswords backend followed by the Glass device where it is stored for later use.
The User navigates to a page for which login credentials have been previously saved.
The chrome extension automatically displays a randomly generated QR code and sends a wakeup notification to the Glass device that may not be active.
The Glass device opens the Glasswords app, takes a picture (assuming the user is looking at the QR code) and checks with the backend for a matching authentication code.
If there is a match, the encrypted login credentials are sent from the Glass device to the chrome extension and automatically entered into the form and submitted. Hands-free login!
- Python - AppEngine WebApp2 Framework, NDB models
- Java/Android - Signpost, Zbar
Since Toopher is a security company, appropriate encryption and OAuth signing of requests was a top priority. All requests across the chrome extension, backend, and Glass app are all OAuth signed. This use of OAuth might be considered 0-legged OAuth link since a third party is not consuming the credentials. This means that client id and secret are disseminated and all requests are required to be signed with these credentials. Signing requests in this way helps prevent replay attacks and allows for controlled access of various endpoints. It was interesting to work with the various OAuth libraries and see how they differed across technologies.
I hadn't programmed in Python in years and was a bit rusty working with dynamic languages in general. Learning Python styling and design conventions was a primary goal for this project as well as developing skills in testing dynamic languages as contrasted by static language testing. This project provided me with a new love for the Python language.
Working with the glass prototype device was a great experience that included some challenges. The most challenging aspect was preventing Glass from overheating (as it did often). This coupled with healthy teasing from co-workers on my appearance while wearing the device ;).
ZBar QR Scanning
Since the design for Glasswords included taking a hands-free picture of the users vision of their computer screen, it was crucial that we could process a QR code from a relatively wide field of view. Tweaking the ZBar library for QR processing was a challenging task since there was little documentation on doing so. Ultimately I found a balance of parameters along with some image pre-processing that allowed for extraction of a QR code contents from a larger image.