API - Passkeys

Support Center > API Integration

Published 09/16/2020 at 4:32am UTC

Page viewed 26274 times


How can I implement Passkeys for an additional layer of security for non-registered users?


By default, non-registered SecureVideo session participants use a 9 digit numeric code to enter a SecureVideo session. This numeric code is unique to each participant, and is usable only while the session itself is active. If the wrong code is entered 20 times from a single IP address, then that IP address is blacklisted and can only be restored by contacting the SecureVideo support team. This means that, in order to guess a 9 digit numeric code within 20 tries, a hacker would have less than a 1 in 50 million chance:

 1 in 50 million calculation

1 in 50 million is approximately the same chance as a human with typical indoor/outdoor habits being struck by lightning over 100 times in a single year.

However, for organizations who use our Single Sign-On API (API - Login) and would like an even higher level of security, we have introduced Passkeys. When Passkeys are enabled on an API account, any 9 digit access code created through the API will also receive a 128 bit security key, which will be expressed as a 36 character RFC 4122 GUID, as in the following example:


(With the addition of the Passkey, the odds of authenticating to a SecureVideo session within 20 tries drop to around 1 in 17,000,000,000,000,000,000,000,000,000,000,000,000 (1.7 x 1037). Guessing this would be equivalent to getting struck by lightning in a trillion different parts of your body, a trillion times each day, for much longer than the age of the universe.)

Once released, Passkeys can be enabled on your SecureVideo API account through the menu item Options > Security. Once enabled, all 9 digit numeric codes for all Sessions created (or Participants added) using the SecureVideo API will have this 36 character Passkey returned along with the 9 digit Connect Code. Please see the Session JSON article to see what this will look like in the returned JSON.


When directing a non-registered user into their waiting room, you use the following format:



In this format:

123456789 = the 9 digit numeric code from the ConnectCode property
9943b942-064d-4fcf-98b4-fbf3859ccc9c = the passkey obtained from the Passkey property


It is important to note that in the current release, participants NOT added through the API will NOT receive a Passkey nor need one to gain access to the session. This is important, because while it is possible for your server to redirect your API-generated participant to a very long URI with a Passkey, if a session host uses the SecureVideo UI to to add a participant ad hoc with whom they need to communicate the 9 digit numeric code verbally, it would be nearly impossible for the third participant to successfully login using a verbally communicated 36 character Passkey. In future releases, we may add UI options to enable the requirement of Passkeys for participants who will receive their invite/reminder notifications through our system (which would provide them with a very long URI that they could click in from either an e-mail or text message.)


This article was last reviewed by our Support team on September 15, 2020.