Researchers Devise 2FA System That Relies on Taking Photos of Ordinary Objects

[LASER_oneXM]

Scientists from Florida International University and Bloomberg have created a custom two-factor authentication (2FA) system that relies on users taking a photo of a personal object.

The act of taking the photo comes to replace the cumbersome process of using crypto-based hardware security keys (e.g., YubiKey devices) or entering verification codes received via SMS or voice call.

The new system is named Pixie, and researchers argue it is more secure than the aforementioned solutions.

Pixie lets users authenticate with a photo of a favorite object
Pixie works by requiring users to choose an object as their 2FA key. When they set up the Pixie 2FA protection, they take an initial photo of the object that will be used for reference. Every time users try to log into their account again, they re-take a photo of the same object, and an app installed on their phone compares the two photos.

Pixie has a false accept rate of only 0.09%
In automated tests, Pixie achieved a false accept rate below 0.09% in a brute force attack with 14.3 million authentication attempts — nine wrong identifications every 10,000 login attempts.

Furthermore, in a test with 42 participants that took place over eight days in three different sessions, researchers say that "Pixie outperforms text-based passwords on memorability, speed, and user preference."

Pixie app available
Researchers are still working on the Pixie system, but you can get the app from this GitHub repository and test it out.

The research team presented the Pixie 2FA system at this month's Association for Computing Machinery on Interactive, Mobile, Wearable and Ubiquitous Technologies.

A scientific paper describing their system is available here, and is entitled "Camera Based Two Factor Authentication Through Mobile and Wearable Devices."

 

[Itachi Sempai]

what benefits does this system have? when you go somewhere you need to take that object with you and take a picture if you want to login? what if someone else takes a picture of that object? you need to hide the object while not using it? in that case a safe will be needed because another person can take 100 pictures and use them 100 times to log in... also the system should archive every photo so that old picture is not going to be reused right? and when i will try to log in it will start to scan all previous 1345 photos and compare them to the newest one? what if someone gets old photo and modifies it in a photoshop like its a different photo? in that case further analyses will be needed to tell if the picture is modified or if its genuinely new one

 

[gorblimey]

when you go somewhere you need to take that object with you and take a picture if you want to login

Actually that's the point. Ot's not difficult, as we all carry something we can use.

what if someone else takes a picture of that object?

It's your personal item. When did a threat actor last get that intimate with your property?

you need to hide the object while not using it? in that case a safe will be needed because another person can take 100 pictures and use them 100 times to log in...

How many of your "objects" are on public display?

also the system should archive every photo so that old picture is not going to be reused right?

It's called date-stamping, every photo has Exif meta-data in it.

what if someone gets old photo and modifies it in a photoshop like its a different photo?

See above, for Exif meta-data.

There is no perfect security system, except staying off-line and never using insertable media. OTOH, sensible risk analysis indicates that with reasonable precautions you can prevent 99.9% of attacks. My big question is "When will this be ported to desktop boxes and lappies?" I do have to say that I'd be using it as a 3fa measure , but then at a desktop I'd probably find a Yubi-Key more useable.