Slashdot Mirror
Researchers Devise 2FA System That Relies On Taking Photos of Ordinary Objects (bleepingcomputer.com)
An anonymous reader quotes Bleeping Computer: Scientists from Florida International University and Bloomberg have created a custom two-factor authentication (2FA) system that relies on users taking a photo of a personal object. The act of taking the photo comes to replace the cumbersome process of using crypto-based hardware security keys (e.g., YubiKey devices) or entering verification codes received via SMS or voice call. The new system is named Pixie, and researchers argue it is more secure than the aforementioned solutions.
Pixie works by requiring users to choose an object as their 2FA key. When they set up the Pixie 2FA protection, they take an initial photo of the object that will be used for reference. Every time users try to log into their account again, they re-take a photo of the same object, and an app installed on their phone compares the two photos... In automated tests, Pixie achieved a false accept rate below 0.09% in a brute force attack with 14.3 million authentication attempts. An Android app is available for testing here.
Pixie works by requiring users to choose an object as their 2FA key. When they set up the Pixie 2FA protection, they take an initial photo of the object that will be used for reference. Every time users try to log into their account again, they re-take a photo of the same object, and an app installed on their phone compares the two photos... In automated tests, Pixie achieved a false accept rate below 0.09% in a brute force attack with 14.3 million authentication attempts. An Android app is available for testing here.
I go on the website I like and press a button on my yubikey, that seems easier then whipping out my phone and taking a picture every time...
Probably why I setup my yubikey to also take care of my Steam login (instead of whipping out my phone).
Well, now we know what every guy will use.
Not to mention that, whatever the object is, you’ve got to have it with you at all times - so pick carefully!
#DeleteChrome
Not to mention that, whatever the object is, you’ve got to have it with you at all times - so pick carefully!
Right, perhaps a picture of your face or fingerprint, for example.
Happiness in intelligent people is the rarest thing I know.
Ernest Hemingway
A low false accept rate is all well and good, but what's the false deny rate like? Also, I'm a bit dubious on tying authentication to a specific physical object. For all the problems with SMS 2FA, at least if something happens to my phone, I can replace it and it doesn't impact what I can and can't get into. If my authentication object gets lost or damaged, then what? "You can use a body part as your object," they say. Right, because nothing disfiguring can ever happen to those, they don't naturally change over time, and no-one's ever lost a body part.
Wish I’d thought of that - I used my pet Boa Constrictor.
#DeleteChrome
This sounds like a completely brain dead idea. seriously how many objects around that people have with them everyday that you can guarantee are unique? not to mention the action of taking the photo basically reveals your 2FA to anyone in the vicinity.
free willy !
Their actual test says 4.5% false reject rate.
They also say only 78% of people were able to successfully use their app to make an authentication.
Needs some work.
Not to mention that, whatever the object is, you’ve got to have it with you at all times - so pick carefully!
This was the first thing that popped into my mind...what magical object must I always have available that isn't susceptible to being lost or stolen? And the answer is ....nothing.
If the object is always available to be photographed, it must always be with you, no? And if it's always with you then it could get lost or stolen.
I don't see how this is a solution to anything, frankly.
Just cruising through this digital world at 33 1/3 rpm...
But then you would have to carry another phone to take a phone picture of your phone.
Better yet, a mirror is less expensive, take a phone picture of your own phone.
But what if others discover you authenticate with a phone picture of your phone? They could take a phony phone picture of a phone and blast! Phoned again!
Phones!
Use a photo of your Yubikey!
#DeleteChrome
Like a blood sample. So every time you want to log in to funnycatpictures.com and post to its mighty forum, you just jab a needle in your vein for a second and let the analyser do its thing.
Seriously, could they come up with any idea more stupid than this? It requires you to carry a specific object with you, and to never ever lose that object. The pattern matching must be fuzzy enough that the same object shown in different lighting, under different angles, etc. is still allowed, but strict enough that a similar object is not. And it must allow for differences in background as well.
And of course your security is shot if any of your photos is captured. Or if another of your (public) photos accidentally reveals the item. So let's see: it must be something you always carry with you, yet isn't visible on any public photos. Your underwear, maybe? I can just see myself logging in in the local Starbucks...
Even worse, if someone sees you take a picture of, say, that particular keychain doll you have, they can go onto amazon and order the same item.
Yeh, me too. Now I've been arrested for indecent exposure.
Or if someone compromises an app on your phone with camera permission (or simply persuades you that this free game that you want to play needs camera permission) and takes a photo, they can then use the same photo.
I'm too lazy to RTFA, but the description in TFS is a bit confusing: are the photos really compared on the phone? If so, how do they communicate with the server, do they just speak the U2F protocol? If so, they've just replaced a button with the need to take a photo, which doesn't sound like much of a UI improvement. If they're comparing the photos on the server, then simply copying the photo makes it trivial to launch remote attacks.
I am TheRaven on Soylent News