Doing security checks

Word matching

Archived on 24/04/2019 🗄️

The same security words are displayed on two different mobile phones.

Reason for archiving

We’ve decided to archive this pattern because we can’t find an example of it being used in a service.

Description

In an end-to-end encrypted system, people can verify each other’s identity by saying a word generated by a cryptographic function. If the communication is compromised (through an impersonation attack, for example), the words won’t match.

Advantages

  • Users can quickly and easily identify if something is wrong with the end-to-end encryption
  • It’s a visible way of displaying security features, this may build confidence in situations where information is considered higher risk

Limitations

  • It might be difficult to explain what’s happening to users, which may have an impact on how effective it is as a signal
  • It requires users to manually check that the connection is secure every time, which may not be appropriate to the level of risk

Examples

  • Signal →

    A previous version of Signal the app displayed two words on the caller’s home screens. This feature was removed in 2017.

Related patterns