Your shoe, chewing gum, or ciggies are now your extra password

Computer researchers at Florida International University and Bloomberg have come up with an alternative to crypto baubles like YubiKeys for two-factor authentication.

It's not that there's anything wrong with YubiKeys and similar login tokens, apart from the occasional security blunder. But they can be a potential faff for non-savvy netizens. There's always text messages for two-factor authentication, but due to SS7 weaknesses and miscreants hijacking people's cellphone accounts by tricking telco help-desks, these are no longer reliable.

What else could be used to prove your identity along with a pass phrase that's easy to use and carried around with you? It's right under your nose.

Pixie, a research project described in last month's Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies, demonstrates that the camera in mobile and wearable devices can be used for two-factor authentication without any extra special hardware.

The researchers – Mozhgan Azimpourkivi, a PhD candidate at Florida International University (FIU); Umut Topkara, an NLP researcher at Bloomberg; and Bogdan Carbunar, assistant computer science professor at FIU – contend: "Pixie can complement existing authentication solutions by providing a fast alternative that does not expose sensitive user information."

Two-factor authentication (2FA) improves upon single-factor authentication, such a passcode-based system, by requiring a second input to prove you're the person allowed to access a system or service. In conjunction with a passcode – something you know – this often takes the form of an item – something you have.

The item, such as a YubiKey or a mobile device running an app like Google Authenticator or Authy, serves to convey a dynamic passcode, a time-based one-time password (TOTP) or a HMAC-based one-time password (HOTP).

Additional factors can be added for additional security and one-upmanship – "my authentication goes up to 11 factors" – but two tends to be enough for civilians.

Trinket

With Pixie, a smartphone user can simply snap a picture of a trinket, such as a bracelet or a wristwatch, and the image becomes a reference for future authentication attempts.

The approach is similar to a QR-code, except that it's secret. You're not supposed to tell anyone which item you're using. It also shares some similarity to a biometric identifier, except that it's detachable. And because Pixie handles image recognition locally, it isn't dependent on network conditions or vulnerable to network-based attacks that might affect 2FA schemes involving a passcode sent via text to a mobile device.

The reference image need not be the entire trinket either: Pixie can recognize specific portions of the target object, such as a shirt pattern or a portion of a shoe.

"Pixie accurately verifies that the candidate image contains the same trinket part as a set of previously captured reference images," the research paper explains. "ŒThis process endows Pixie with attack resilience properties: to fraudulently authenticate, an adversary needs to capture both the mobile device and the trinket, then guess the correct part of the trinket."

So it's not enough that an attacker simply knows what your secret unlock item is: they have to know which part of it, too – the angle of the reference image, the portion used to authenticate, and so on.

Pixie proved reasonably resilient to attack – its false accept rate was less than 0.09 per cent in a brute force attack over 14,300,000 authentication attempts using 40,000 trinket images gathered from public data sets. It was also fairly well-received, with half of the 42 people in the researchers' user study indicating that they preferred Pixie to password-based authentication and 40 per cent of participants undecided.

Pixie was implemented using Android 3.2, OpenCV 2.4.10 (a computer vision software library) and Weka (a Java data=mining library).

Among study participants, the objects designated as trinkets included gum packs, watches, keychains, sunglasses, a shoe, a tattoo, and – for someone who really didn't want to look very far afield for something to photograph – an iPhone menu. ®