Incidental Incremental In-Band Fingerprint Verification: a Novel Authentication Ceremony for End-to-End Encrypted Messaging

Abstract

End-to-end encryption in popular messaging applications relies on centralized key servers. To keep these honest, users are supposed to meet in person and compare “fingerprints” of their public keys. Very few people do this, despite attempts to make this process more usable, making trust in the systems tenuous. To encourage broader adoption of verification behaviors, this paper proposes a new type of authentication ceremony, incidental incremental in-band fingerprint verification (I3FV), in which users periodically share with their friends photos or videos of themselves responding to simple visual or behavioral prompts (“challenges”). This strategy allows verification to be performed incidentally to normal user activities, incrementally over time, and in-band within the messaging application. By replacing a dedicated security task with a fun, already-widespread activity, I3FV has the potential to vastly increase the number of people verifying keys and therefore strengthen trust in encrypted messaging.