Introduction
The Password Protected Video feature allows you to restrict who can see (or indeed download) your Idomoo video files, preventing unauthorized viewers from accessing your content.
The concept is simple; once your video project is complete, you activate the optional password protection feature by supplying a password when generating a video using API or data file transfer (SFTP). When the client receives the video, they must enter the correct password in order to view the content. If the password is incorrect, the video does not play.
Subsequent incorrect password attempts can be used to lock the video for a ‘Time-Out’ duration defined by you, preventing a brute force hack.
Workflow of a Client Accessing a Password Protected Video
An example of needing to password protect a video is that of a car insurance company sending a quote to a customer. As this video would contain sensitive information, the Password Protection feature is used, via an API command or using a CSV file for use with SFTP.
In this example the client would receive an email with a link to the video containing the car insurance quote. When the client clicks on the link, they are taken to a landing page and instructed to enter a password. In this scenario, the password has been defined as the client’s vehicle registration, and the client is prompted to enter this with the message, “Enter your vehicle registration without spaces”.
Once the client entered the password correctly, the video opens displaying the insurance quote. If the client hits refresh on the browser after watching the video, or closes the browser tab, they are prompted again for the password
If the client enters the password incorrectly, they are not able to see any of the information contained in the video, safeguarding data from bad agents.
The number of wrong attempts can be restricted for a set period of time, which triggers a lock period, to prevent a brute force attack.
How to Generate Password Protected Videos
In the previous section, you read about the workflow as seen from the client's point of view. Let’s now explore the same example from the point of view of an Idomoo user generating a video that contains password protection.
The Storyboard containing the car insurance quote has been completed. In order to generate a video that is password protected, you first need to define a number of specific fields during the generation process. It doesn't matter if you generate the video using API or SFTP, the fields are the same.
You use the password field to define a password as the customer's vehicle registration. The message accompanying the video link is defined in the prompt field: “Enter your car registration without spaces”.
NOTE: Spaces and other characters included in the password field all count as part of the password. Make sure your passwords are correctly defined to avoid support calls.
If the correct password is entered, the video plays, if the wrong password is entered, a message, as defined in the wrong_password_message field, is shown. In this case, the example used is: “This is not the car registration we have stored in our records, please try again, and ensure no spaces are used!”
In the case of an incorrect password being entered, the number_of_attempts field can be used to restrict the amount of times a password can be wrongly entered. After the limit imposed in the number_of_attempts field is reached, the video is locked for the length of time defined by the lock_duration field. The number of attempts are measured within the time value set in the attempts_period field.
For example; if attempts_period is set to 1 hour and number_of_attempts is set to 3, and 3 wrong tries are detected inside this one hour time period, on the 4th try, the lock_message is displayed, for the lock_duration value. However, if 3 wrong attempts are made, with each being one hour apart, the client won't be locked out.
Generating Password Protected Videos Using API
The fields described above make it possible to define each part of the password protected video experience. This is accomplished on a video by video basis to enable you to pick different passwords for different customers, and also to choose whether or not to password protect some videos.
To password protect your video when generating videos using API, you must add the password fields in the request body of your API call. To do this, add an object named media_access_security to the root, and populate it with the required fields.
Below is an example API request body for the same car insurance quote scenario:
{ "storyboard_id": 1234, "media_access_security": { "password": "A123CAR", "prompt": "Enter your Car Registration without spaces", "wrong_password_message": "This is not the car registration we have stored in our records, please try again, and ensure no spaces are used!", "number_of_attempts": 3, "lock_duration": 10, "lock_message": "Please try again later", "attempts_period": 10 }, "output_config_id": 1234, "storage_id": 1234, "data": [ { "key": "name", "val": "Christopher" } ] }
Full details on all fields used by the password protection feature can be found in the `media_access_security` object field in the Storyboard API Request section of the Idomoo Academy.
Generating Password Protected Videos Using SFTP
If you want to use a CSV file to generate your videos via SFTP, you can include the relevant password data in your CSV file. You work with your project manager to define what the columns will be, but all options mentioned above are also available through CSV file upload.
For the viewer, the experience of entering a password generated via SFTP is the same as those videos generated via an API.
Details of how to use SFTP to generate videos can be found in this article on the Idomoo Academy.
ADA Compliance
The Password protection feature used by the Idomoo interface is ADA compliant. This allows Alt-Text and ARIA labeling to be added to text fields and buttons, which in turn allows screen readers to correctly read them.
Alternative Uses for Incorrect Password Entry
When a password is entered incorrectly, an error message is sent as an event by the Idomoo player and can be read by the landing page. Using this functionality the landing page can perform alternative actions, such as raising a pop-up that attempts to clarify what the password should be. Alternatively, the action can be to email the client in order to indicate that a possible unauthorized attempt has been made to view their video.