Slashdot Mirror
Researchers Devise 2FA System That Relies On Taking Photos of Ordinary Objects (bleepingcomputer.com)
An anonymous reader quotes Bleeping Computer: Scientists from Florida International University and Bloomberg have created a custom two-factor authentication (2FA) system that relies on users taking a photo of a personal object. The act of taking the photo comes to replace the cumbersome process of using crypto-based hardware security keys (e.g., YubiKey devices) or entering verification codes received via SMS or voice call. The new system is named Pixie, and researchers argue it is more secure than the aforementioned solutions.
Pixie works by requiring users to choose an object as their 2FA key. When they set up the Pixie 2FA protection, they take an initial photo of the object that will be used for reference. Every time users try to log into their account again, they re-take a photo of the same object, and an app installed on their phone compares the two photos... In automated tests, Pixie achieved a false accept rate below 0.09% in a brute force attack with 14.3 million authentication attempts. An Android app is available for testing here.
Pixie works by requiring users to choose an object as their 2FA key. When they set up the Pixie 2FA protection, they take an initial photo of the object that will be used for reference. Every time users try to log into their account again, they re-take a photo of the same object, and an app installed on their phone compares the two photos... In automated tests, Pixie achieved a false accept rate below 0.09% in a brute force attack with 14.3 million authentication attempts. An Android app is available for testing here.
I go on the website I like and press a button on my yubikey, that seems easier then whipping out my phone and taking a picture every time...
Probably why I setup my yubikey to also take care of my Steam login (instead of whipping out my phone).
This seems like a really roundabout way to trick people into taking pictures of their private parts.
No wait, actually it could be great -- tons of people walking around flashing photos with their pants down, "but my phone requires it to unlock!"
Well, now we know what every guy will use.
Not to mention that, whatever the object is, you’ve got to have it with you at all times - so pick carefully!
#DeleteChrome
Not to mention that, whatever the object is, you’ve got to have it with you at all times - so pick carefully!
Right, perhaps a picture of your face or fingerprint, for example.
Happiness in intelligent people is the rarest thing I know.
Ernest Hemingway
A low false accept rate is all well and good, but what's the false deny rate like? Also, I'm a bit dubious on tying authentication to a specific physical object. For all the problems with SMS 2FA, at least if something happens to my phone, I can replace it and it doesn't impact what I can and can't get into. If my authentication object gets lost or damaged, then what? "You can use a body part as your object," they say. Right, because nothing disfiguring can ever happen to those, they don't naturally change over time, and no-one's ever lost a body part.
Trusting the client (app in this case) is where the security fails. I just have to write a rogue app that says to the remote service “yep, this client is totally legit” and I don’t even have to take any pictures.
The only way for this to work is NOT to trust the client (app). And anyone can simply replay the reference image or send a slightly modified version of that image.
This seems like Bad Security.
Wish I’d thought of that - I used my pet Boa Constrictor.
#DeleteChrome
This sounds like a completely brain dead idea. seriously how many objects around that people have with them everyday that you can guarantee are unique? not to mention the action of taking the photo basically reveals your 2FA to anyone in the vicinity.
Hair today, gone tomorrow.
Table-ized A.I.
guess i have to pick something else. their leashes?
dildos
their entire server is full of pictures of dildos
I finally have a business reason to take dick pics at work.
Watching you guys get your hopes up and then dashed over and over (and over and over and over...) never gets old.
Maybe change the perspective a little, How much more secure is this?
It’s NOT two factors! IT’s ONE factor!
1. Something you know
2. Something you have
3. Something you are
!!
NOT ... Nevermind
1. Something you know
0. Something everybody knows
NOR ... haha, h4x0r3d
1. Something you have
1. Something you have
Or any other retarded combination not involving more than one unique valid factor!
Unless you ALSO enter your password, and unless that "yubikey" actually has a secure channel to the auth server without your PC being able to do ANY MITM, that’s zero-factor, mate!
Not saying the one in TFA isn't.
I have some questions about this.
What happens if I lose the object or need to change the object I use for authentication? If I use my watch, what happens when I lose my watch or need to get a new watch for some reason? Can the picture be changed?
If the authentication takes place locally, could malware be downloaded that defeats the authentication?
The summary states "a false accept rate below 0.09% in a brute force attack with 14.3 million authentication attempts."
So, in that 14.3 million attempts, they still got in 12,870 times.
"She's furniture with a pulse"
"whatever the object is, youâ(TM)ve got to have it with you at all times - so pick carefully!"
Just take a picture of your phone.
In automated tests, Pixie achieved a false accept rate below 0.09% in a brute force attack with 14.3 million authentication attempts.
14,300,000 x 0.09% = 12,870. How can it be said that a form of authentication is secure when it only requires less than 10,000 guesses before it flubs and accepts a false response.
Their actual test says 4.5% false reject rate.
They also say only 78% of people were able to successfully use their app to make an authentication.
Needs some work.
The times when 2FA is of the most benefit, is when you are using completely non-trusted systems. How am I meant to use this system in an internet cafe in a country where I don't have mobile data or wifi coverage?
Someone takes a picture of an object. Ok, you're submitting the photo of the picture - I can kind of see how that is something you have. Where's the second factor? "You know what the factor is" is a terrible interpretation of what "something you know" is in the authentication world.
Not to mention that, whatever the object is, you’ve got to have it with you at all times - so pick carefully!
This was the first thing that popped into my mind...what magical object must I always have available that isn't susceptible to being lost or stolen? And the answer is ....nothing.
If the object is always available to be photographed, it must always be with you, no? And if it's always with you then it could get lost or stolen.
I don't see how this is a solution to anything, frankly.
Just cruising through this digital world at 33 1/3 rpm...
Right, perhaps a picture of your face or fingerprint, for example.
Yeah, because no one could ever get a picture of my face or my fingerprint. It's just totally impossible.
Just cruising through this digital world at 33 1/3 rpm...
But then you would have to carry another phone to take a phone picture of your phone.
Better yet, a mirror is less expensive, take a phone picture of your own phone.
But what if others discover you authenticate with a phone picture of your phone? They could take a phony phone picture of a phone and blast! Phoned again!
Phones!
Instantly made me think of Inception and the concept of a totem. So it's some personal trinket.
In the absence of anything else good, I do like it. It's something you create (hopefully?), so I love that it has that aspect, so it should be as unique as you decide to be.
It still has the disadvantage of being something someone else can take from you, or you can lose, but as one part of 2FA, having it taken shouldn't be much of an issue. Loss of the item really depends on how difficult it would be to replace.
It is somewhat annoying that difficulty to replace the item directly correlates to it's usefulness as a unique totem. Optimally, your totem should be something you make yourself, and could recreate with relative ease, with minimal tools. Maybe everyone should take up enough wood carving to make their own unique little carvings. I think that'd actually be kinda neat.
...Be sure it's not just for smartphones. Throw PC and laptop users a bone too, make it so we could use a webcam on our PC/laptop to 'see' the object for usage in 2FA. OK? Good idea.
Use that.
"what magical object must I always have available that isn't susceptible to being lost or stolen?"
In your case? Your virginity.
I took a picture of my balls, although it could make purchasing toys for the nephews a bit lewd.
2FA is a complete waste of time anyhow. I use strong, uncrackable passwords (you can try, it'll take the world's best supercomputer until after the sun burns out to crack) and store them in KeePass. When I go to a site or execute an app that needs a password, I press a hotkey and I'm in.
Take a picture of your junk perhaps?
"has a false accept rate of only 0.09%"
So that's about a 1/1000 false accept rate against a brute force attack, which is comparable to some biometrics. This actually isn't very good. A determined attacker will not just send random pictures, but will send pictures that they think the target of the attack may have used. This results on a much higher false accept rate.
Even 1/1000 is marginal enough that substantial rate limiting is going to be needed to keep the account secure. Compare that against the security of, say, a 6-digit random one-time password (1/1 million).
And as another commenter pointed out, it's not meaningful to talk about false accept rate without also talking about the false reject rate.
I'd photo my pee pee, but I like to swim a lot and there's some shrinkage.
It little behooves the best of us to comment on the rest of us.
Except for the name. Genius, really, to choose a name as non-unique as Pixie. No doubt this was to enhance the overall security of the system.
Like, say, the RSA token I carry for 2FA?
I've got it! A QR code tattoo containing your password.
More than that, if you're going to be in the same place all the fucking time, use a proper password manager, make really tough passwords, and store your site passwords behind a tough password.
These fucking idiots trying to solve problems with idiotic solutions needs to be rounded up and castrated. If I'm going to be next to the same goddamned object every time I log into a fucking website, I have far more cryptographically secure options ... and if I'm *not* going to have the same object in front of me, this is an utterly useless method.
This is a really dumb solution, and I'm tired of BS solutions which depend on my fucking phone, which I refuse to tie to all of the ads and analytics assholes out there.
If your solution involves be giving up more information to ads and analytics, or involves me being in the same place all the time, it's a stupid fucking solution.
And if it's something I'm going to always have to carry with me, it's either a shit solution or will be insecure as I have to carry that object when I travel, which limits its utility.
More bullshit technology put forth my marketing idiots which can't possibly fucking improve my security.
Fuck the internet, it's ran by morons. This is a useless mechanism if you have to have the same object everywhere you go. Because that object becomes the thing someone needs to hack you.
Panty waste mother fuckers acting like they have something revolutionary. If you have to rely on a goddamned third party, your shit aint secure.
Now everyone will be using their dick pics to login lol.
Use a photo of your Yubikey!
#DeleteChrome
You could use a picture of your phone! You have that with you all the time!
Oh wait...
Like a blood sample. So every time you want to log in to funnycatpictures.com and post to its mighty forum, you just jab a needle in your vein for a second and let the analyser do its thing.
Seriously, could they come up with any idea more stupid than this? It requires you to carry a specific object with you, and to never ever lose that object. The pattern matching must be fuzzy enough that the same object shown in different lighting, under different angles, etc. is still allowed, but strict enough that a similar object is not. And it must allow for differences in background as well.
And of course your security is shot if any of your photos is captured. Or if another of your (public) photos accidentally reveals the item. So let's see: it must be something you always carry with you, yet isn't visible on any public photos. Your underwear, maybe? I can just see myself logging in in the local Starbucks...
Tits or GTFO!
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
Wooosh....!
Even worse, if someone sees you take a picture of, say, that particular keychain doll you have, they can go onto amazon and order the same item.
No, better pick something that has the same shape regardless of temperature.
Well I would personally also prefer for you to touch you yubikey instead of whipping out your phone to take a picture of your ... personal thing...
Yeh, me too. Now I've been arrested for indecent exposure.
how is this much better than using an authenticator or an extra password/sms?
This is really one of the dumbest ideas I've heard.. So what do I do if I don't have the object near me? and do I have to photograph is everytime from the same angle?
Or if someone compromises an app on your phone with camera permission (or simply persuades you that this free game that you want to play needs camera permission) and takes a photo, they can then use the same photo.
I'm too lazy to RTFA, but the description in TFS is a bit confusing: are the photos really compared on the phone? If so, how do they communicate with the server, do they just speak the U2F protocol? If so, they've just replaced a button with the need to take a photo, which doesn't sound like much of a UI improvement. If they're comparing the photos on the server, then simply copying the photo makes it trivial to launch remote attacks.
I am TheRaven on Soylent News
Just like the pirates and Their 5?! Pieces of eight ... Which incidentially was 5 or 8?! pieces of whatever random junk we happended to carry at the time... YaRrrrrr
Not to mention most cell phones aren't too great at macro photography
Hillary's going to jail.
"Prediction: within 10 years, Windows will be a Linux distribution." Me, 7-6-2016
Also, the object could get stolen, or you could break it and it might get damaged in such a way that it no longer registered.
Plus, it's a bit conspicuous to take a picture of something, so other people are going to figure out what your token is. Once I know you're using your watch as your token, could I buy an identical watch and spoof it? Could I use a picture of your watch instead of the actual watch? Could I just use a picture of the same watch model, without having to buy an identical watch or stealthily take a picture of your watch?
This was the first thing that popped into my mind...what magical object must I always have available that isn't susceptible to being lost or stolen? And the answer is ....nothing.
I can see a bunch of problems with this idea, but I don't think what you're saying is a serious problem. Any authentication method that's "something you have" has the danger of being lost or stolen. I carry my keys, wallet, and cell phone with me everywhere, and I've never had any of those things get lost or stolen. Admittedly, I may just be lucky that I never ran into a good pick-poket, but still, those things don't get lost or stolen every day.
Use money, say a dollar bill maybe folded a certain way, or perhaps 3 or 4 coins in a pattern?
Most of the time these are always available and they don't change much (visually)
To visit Trump and gloat!
You sound like the prequel to the app guy
Have any unique tattoos? (preferably w/out having to take your shirt or pants off?)
If a 2FA device has some means of communication to the site that is authenticating, 2FA is trivial. Just like with Google, Blizzard, or Duo... when you log on, your phone pops up (login attempt detected... Allow/Deny), you hit "allow", and you are in.
It would be nice if there were an open standard for this, with the site wanting authenticating storing a public key, and the 2FA device generating and storing a private key onboard. Right now, we have an open standard for shared secrets, but it would be nice to move to a public/private key standard, so a compromise of the server requesting authenticating gives little help to an attacker.
The main problem is that this is false added security compared to treating the phone as the "something" you have.
If your phone is compromised it's trivial to compromise this app. If yor phone isn't compromised than you why involve photograping a seconf object you have?
The secondary problem is that it's vulnerable to the same kind of stupidity as passwords. People won't choose the objetc they photograph based on a sesible analysis of how hard it would be to reproduce a comparable photo. The "my password is password" of this system would be something like a photo of your house key. Sounds secure to a layperson, but can the system reliably identify different keys made from the same mass produced blank key? How hard is it really to get a bunch of blank keys from the hardware store and brute force random people's accounts?
I betcha I know what "object" Anthony Weiner will choose to take a picture of.
Unless you access the system in a place with privacy, the very act of taking the picture will divulge the object. Given the prevalence of surveillance cameras , compromise is a matter of when and not if.
Just like iris scanners can be fooled with a picture of someone's eyes... betchya a picture of said object can be the key.
Because, because, because, because, because
Because of the wonderful things he does!
I don't have a fucking cellphone!
Use a picture of your wristwatch and only you will know what two times of day you can log in! Mwaahaha.
Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
A trans hooker?
Will a can of coka cola do? Nobody else has one of those right? Nobody would think to use something so common either, right?
That's pretty childish of you to assume you know someone's opinions based solely off of that statement. Grow up, junior.
This allows services to learn more about your smart phone and, potentially, your surroundings.
Any authentication method that's "something you have" has the danger of being lost or stolen.
Yes, that's exactly my point.
I carry my keys, wallet, and cell phone with me everywhere, and I've never had any of those things get lost or stolen. Admittedly, I may just be lucky that I never ran into a good pick-poket, but still, those things don't get lost or stolen every day.
Yes, they do.
You're lucky and/or careful. Thousands of people lose one (or more) of those things every single day. Have you ever seen the lost cellphone bin at an airport? It's a highly-controlled environment and yet thousands of people lose their phone, keys, wallet, passport, etc in airports all the damn time.
Just cruising through this digital world at 33 1/3 rpm...
Have any unique tattoos? (preferably w/out having to take your shirt or pants off?)
Nope, and I don't plan on getting any.
Just cruising through this digital world at 33 1/3 rpm...
those things don't get lost or stolen every day.
Yes, they do.
My point is, it doesn't happen to any particular person every day. If you're losing your wallet and keys every day, then you're going to have all sorts of problems.
My point is, it doesn't happen to any particular person every day.
Be real- you only have to lose any of these things once for it to be a problem, even more so if they serve as a login validator.
Just cruising through this digital world at 33 1/3 rpm...
Sure, it's a problem, but that doesn't mean it's a disqualifying problem. People lose their keys sometimes, but that doesn't lead us to say, "Well we can't use keys anymore!" People's wallets gat stolen sometimes, but they're still generally a decent solution to a problem. People forget passwords, passwords get compromised, but we still use them.
There are going to be problems and flaws with every security scheme, but the purpose of security is not to be perfect. If you set out to create a security scheme that always 100% provides authorized users with access while always 100% denying access to unauthorized attackers, you're going to fail. The point is to balance "ease of access by authorized users" against "making unauthorized access difficult and dangerous". And that balance needs to be determined by the danger of security being compromised, which is to say that it might be appropriate to force someone with clearance to jump through a bunch of hoops to view a top-secret document, but I probably shouldn't have to jump through as many hoops to access my own MP3 collection.
So yes, "something you have" can be lost or stolen, but that's ok. You just need to make sure you can get a new copy of the "something you have" and revoke authorization from the one that was lost. For systems that needs a high level of security, you might want to have additional factors for authentication (e.g. biometrics and/or passwords).
Sure, it's a problem, but that doesn't mean it's a disqualifying problem.
Then feel free to participate as enthusiastically as you like. I'll pass.
Just cruising through this digital world at 33 1/3 rpm...
Great. Disregard any security measures that don't offer perfect security. See how far that gets you.
Disregard any security measures that don't offer perfect security. See how far that gets you.
Don't put words in my mouth, you petulant little asswipe.
Just cruising through this digital world at 33 1/3 rpm...