--- tags: VERI, tezos title: Unattended verification of attendance --- # Unattended verification of attendance The goal is to exclude people not physically at the event from abusing the VERI systems to mint tokens for themselves. There are two ways to go about this: - Active device at the event (guest presents QR code / NFC chip to kiosk) - similar to ArtBasel Miami - Using time-sensitive codes displayed at a kiosk, to be scanned with the guest's phone / tablet # Time-sensitive codes We can leverage the existing TOTP (Time-based One Time Password) tooling in the field. - Javascript tool for generating and verifying one-time passwords: - https://www.npmjs.com/package/otplib - Architecture draft: - Have the kiosk and the verifying website set up with the same secret - Have the kiosk generate one-time-passwords, and encode a QR code from the URI with the current one-time-password in the query string, pointing to the verifying / minting site - (eg. https://veri.example.com/mint_sxsw_veri_token?otp=242354) - we might want to obfuscate it a little, maybe have the OTP in hex or something - Have the website validate the otp and mint a veri token for the caller if it's current - Considerations - The OTPLib library allows for full customization in terms of password period, and the range of old passwords to be acceptable. - This means we could even set the TOTP period to something obscenely short like 5 seconds, and still have people be able to sign in at their own pace, by allowing say the last 12 valid OTPs (ie. 1 minute window) - Note: low limit to period dependent on smartphone camera focus and user being able to navigate to page - This way we don't need to keep transactional records of used / unused keys, as the time-based nature of TOTP gives us enough protection. - We can simply throttle token generation to the same speed as the TOTP period, which would lock out attempts to mint a bunch of tokens at once with the same QR code.