Mutually-verified contacts as a security feature for messaging and social media
Most of us who have used Facebook have found ourselves seeing a friend request for someone who is already our Facebook Friend. This is a form of account compromise where someone creates a doppleganger of our account as a way to impersonate our online personality.
Such “clone” accounts of our online presence can be used as a way to facilitate a “man-in-the-middle” attack especially when dealing with an encrypted communication setup. It is an issue that is becoming more real with state-sponsored cybercrime where authoritarian states are hacking computer and communications equipment belonging to journalists, human-rights activists or a democracy’s government officials and contractors.
In most implementations, each contact has a code that is generated by the messaging or social media platform as a human-readable or machine-readable form. The former approach would be a series of letters and numbers while the latter would be a barcode or QR code that you scan with your computing device’s camera.
In a lot of cases, this code changes if the user installs the social-media app on a new device or reinstalls it on the same device. The latter situation can occur if your phone is playing up and you have to reinstall all of your apps from scratch.
Users are encouraged to verify each other using this authentication code either in person or through another, preferably secure, means of communication. In-person verification may take place in the form of one user scanning the other user’s machine-readable code with their phone.
This allows each user of the platform to be sure they are communicating with the user they intend to communicate with and there isn’t anything that is between each party of the conversation. It is similar to a classic contact-authentication approach of asking someone a question that both you and the contact know the answer to mutually like a common fact or simply using a nickname for example.
The feature is part of Signal but is being baked in to Apple iMessage as part of iOS/iPadOS 16.3 and MacOS Ventura 13.1. But I see this as a feature that will become part of various instant-messaging, social media and similar products as the market demands more secure conversation.
Zoom also implements this as part of its end-to-end encryption feature for videoconferences. Here, users can verify that they are in a secure videoconference by comparing a number sequence read out by the meeting host after they click on a “shield” icon that appears during an encrypted videoconference. Here, this feature could come in to play with Signal and similar apps that are used for group conversations.
Primarily this feature is being pitched towards users who stand to lose a lot, including their lives because they engage in “high-stakes” activities. Such users are government officials, public servants and military in democratic states, vendors who sell goods and services to government or military in these states, journalists and media workers in states that value a free press along with human-rights activists and NGSs.
Here, these users become highly vulnerable due to them being of interest to authoritarian states and organisations or individuals that aid and abet these states. It is also being applied to countries that have undergone a significant amount of democratic backsliding or are considered to be socially unstable.
Personally, I see this as being important for everyday use so you can be sure that whom you want as part of your social-media or online messaging circle is whom you actually want. Here, it can avoid you dealing with scams based on others impersonating you or others in your social circle such as the “relative in distress” scam. As well, it can also be seen as a way to be sure you are linking with the right person when you add a new person to your social-media list.
I would see an increasing number of communications, social media and similar platforms acquiring the “mutual contact verification” function as a security feature. This would be more so where the platform supports end-to-end encryption in any way or there is a reliance on some form of personal safety or business confidentiality.