physical – Prove someone entered and exited a room at specific times without any biometric authentication

There is a room. There is a lot of incentive for people to enter this room. This room allows you to enter and exit whenever you want, but for each minute you stay in the room, you get a dollar. Problem is, it’s very hard to get to the room and is located in the middle of nowhere, so not that many people want to go to the room (’cause effort), but they obviously all want the money.

If someone enters the room, you can force them to do some action in the room before they wait there, slowly accumulating their riches, and you can force them to do some action before they leave the room. Obviously, if you can force them to do some action, the most reasonable thing to do would be to verify said person’s identity before they enter and leave (since there can be more than one person in the room at a time).

The one catch is that as the designer of the room, you’re not allowed to collect any biometric information about the person to verify their identity. For example, you cannot make them authenticate their presence there using a fingerprint or facial recognition. And since the room is not exactly located in a place where someone would want to live for very long, there is no person that can manually verify the identities of the people entering and exiting the room.

However, you can require the person to bring something like a membership card they swipe that contains nothing other than that person’s name (or something else that can identify them—maybe a number that identifies them in a database of people who might enter the room). The room has free Wi-Fi, so you could also force them to sign into “freemoneyroom.com” with OAuth.

Obviously, there are problems with those ideas. Let’s say you go with the membership card idea. Before someone comes to the room, they have to sign up for a membership card, which they will receive in the mail. Alice and Bob look for exploits. They realize there is a very simple one that will get all their friends a whole bunch of money. In a few days, Alice and Bob have a plethora of membership cards stacked up. When they make the trip to the room, they simply scan every single one of the membership cards when they enter, and after a few days of staying there, they scan every membership card when they leave, easily scoring some bucks for their friends. (There’s also the matter of the membership cards utilizing RFID, which means that the card would probably have to use some kind of encryption to keep the data on the card secure so Bob and Alice can’t just create hundreds of valid membership cards given they have the right data. We will assume that the Free Money Room organization was smart enough to keep those cards secure.)

Seeing that their membership cards have utterly failed, the Free Money Room Organization try to implement a different solution with a captive portal. This captive portal allows a user to log in using an OAuth2 provider they hope will deter users from just sharing passwords: their personal Google account. After first signing up as a possible person who would come to the room with Google account, members will enter and must sign in with Google to get access to the free Wi-Fi (and also must sign in since otherwise they won’t get any money—same for a sign out). Sure enough, the Free Money Room Organization doesn’t have to give out as much money now, since Alice and Bob’s friends aren’t as willing to give them access to their Google Account (there might be additional attack possibilities here like sharing OAuth tokens or whatever but I don’t know too much about OAuth2 so I can’t say). Alice and Bob, however, after a bit of thinking, have a better idea. After signing into the captive portal, Alice and Bob note down the address that was used to sign in (as IIUC captive portals will redirect users to a specific location), and set up a VPN that their friends can join to access the login page.

Soon, the Free Money Room Organization is reeling in the amount of debt they have by having to dole out so much money. They realize their experiment has failed because of how hackable their system is. They realize how good of an idea biometric authentication would be, but in their jurisdiction, organizations and corporations are not allowed to collect any biometric information—only the government can.

How could the Free Money Room Organization have saved their free money room from sure doom?