Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Security Cellphones

Researchers Devise 2FA System That Relies On Taking Photos of Ordinary Objects (bleepingcomputer.com) 138

An anonymous reader quotes Bleeping Computer: Scientists from Florida International University and Bloomberg have created a custom two-factor authentication (2FA) system that relies on users taking a photo of a personal object. The act of taking the photo comes to replace the cumbersome process of using crypto-based hardware security keys (e.g., YubiKey devices) or entering verification codes received via SMS or voice call. The new system is named Pixie, and researchers argue it is more secure than the aforementioned solutions.

Pixie works by requiring users to choose an object as their 2FA key. When they set up the Pixie 2FA protection, they take an initial photo of the object that will be used for reference. Every time users try to log into their account again, they re-take a photo of the same object, and an app installed on their phone compares the two photos... In automated tests, Pixie achieved a false accept rate below 0.09% in a brute force attack with 14.3 million authentication attempts. An Android app is available for testing here.

This discussion has been archived. No new comments can be posted.

Researchers Devise 2FA System That Relies On Taking Photos of Ordinary Objects

Comments Filter:
  • by ChoGGi ( 522069 ) <slashdot@choggi.org> on Sunday October 29, 2017 @06:38PM (#55454991) Homepage

    I go on the website I like and press a button on my yubikey, that seems easier then whipping out my phone and taking a picture every time...

    Probably why I setup my yubikey to also take care of my Steam login (instead of whipping out my phone).

    • by 93 Escort Wagon ( 326346 ) on Sunday October 29, 2017 @06:45PM (#55455023)

      Not to mention that, whatever the object is, you’ve got to have it with you at all times - so pick carefully!

      • by rmdingler ( 1955220 ) on Sunday October 29, 2017 @06:48PM (#55455045) Journal

        Not to mention that, whatever the object is, you’ve got to have it with you at all times - so pick carefully!

        Right, perhaps a picture of your face or fingerprint, for example.

      • by Anonymous Coward
        "whatever the object is, youâ(TM)ve got to have it with you at all times - so pick carefully!"

        Just take a picture of your phone.
        • by Anonymous Coward

          But then you would have to carry another phone to take a phone picture of your phone.

          Better yet, a mirror is less expensive, take a phone picture of your own phone.

          But what if others discover you authenticate with a phone picture of your phone? They could take a phony phone picture of a phone and blast! Phoned again!

          Phones!

      • by JustAnotherOldGuy ( 4145623 ) on Sunday October 29, 2017 @08:01PM (#55455329)

        Not to mention that, whatever the object is, you’ve got to have it with you at all times - so pick carefully!

        This was the first thing that popped into my mind...what magical object must I always have available that isn't susceptible to being lost or stolen? And the answer is ....nothing.

        If the object is always available to be photographed, it must always be with you, no? And if it's always with you then it could get lost or stolen.

        I don't see how this is a solution to anything, frankly.

        • Even worse, if someone sees you take a picture of, say, that particular keychain doll you have, they can go onto amazon and order the same item.

          • Or if someone compromises an app on your phone with camera permission (or simply persuades you that this free game that you want to play needs camera permission) and takes a photo, they can then use the same photo.

            I'm too lazy to RTFA, but the description in TFS is a bit confusing: are the photos really compared on the phone? If so, how do they communicate with the server, do they just speak the U2F protocol? If so, they've just replaced a button with the need to take a photo, which doesn't sound like mu

        • This was the first thing that popped into my mind...what magical object must I always have available that isn't susceptible to being lost or stolen? And the answer is ....nothing.

          I can see a bunch of problems with this idea, but I don't think what you're saying is a serious problem. Any authentication method that's "something you have" has the danger of being lost or stolen. I carry my keys, wallet, and cell phone with me everywhere, and I've never had any of those things get lost or stolen. Admittedly, I may just be lucky that I never ran into a good pick-poket, but still, those things don't get lost or stolen every day.

          • Any authentication method that's "something you have" has the danger of being lost or stolen.

            Yes, that's exactly my point.

            I carry my keys, wallet, and cell phone with me everywhere, and I've never had any of those things get lost or stolen. Admittedly, I may just be lucky that I never ran into a good pick-poket, but still, those things don't get lost or stolen every day.

            Yes, they do.

            You're lucky and/or careful. Thousands of people lose one (or more) of those things every single day. Have you ever seen the lost cellphone bin at an airport? It's a highly-controlled environment and yet thousands of people lose their phone, keys, wallet, passport, etc in airports all the damn time.

            • those things don't get lost or stolen every day.

              Yes, they do.

              My point is, it doesn't happen to any particular person every day. If you're losing your wallet and keys every day, then you're going to have all sorts of problems.

              • My point is, it doesn't happen to any particular person every day.

                Be real- you only have to lose any of these things once for it to be a problem, even more so if they serve as a login validator.

                • Sure, it's a problem, but that doesn't mean it's a disqualifying problem. People lose their keys sometimes, but that doesn't lead us to say, "Well we can't use keys anymore!" People's wallets gat stolen sometimes, but they're still generally a decent solution to a problem. People forget passwords, passwords get compromised, but we still use them.

                  There are going to be problems and flaws with every security scheme, but the purpose of security is not to be perfect. If you set out to create a security sche

                  • Sure, it's a problem, but that doesn't mean it's a disqualifying problem.

                    Then feel free to participate as enthusiastically as you like. I'll pass.

                    • Great. Disregard any security measures that don't offer perfect security. See how far that gets you.
                    • Disregard any security measures that don't offer perfect security. See how far that gets you.

                      Don't put words in my mouth, you petulant little asswipe.

        • by MTEK ( 2826397 )

          Have any unique tattoos? (preferably w/out having to take your shirt or pants off?)

      • Not to mention that, whatever the object is, you’ve got to have it with you at all times - so pick carefully!

        Like, say, the RSA token I carry for 2FA?

      • by Anonymous Coward

        You could use a picture of your phone! You have that with you all the time!

        Oh wait...

      • Also, the object could get stolen, or you could break it and it might get damaged in such a way that it no longer registered.

        Plus, it's a bit conspicuous to take a picture of something, so other people are going to figure out what your token is. Once I know you're using your watch as your token, could I buy an identical watch and spoof it? Could I use a picture of your watch instead of the actual watch? Could I just use a picture of the same watch model, without having to buy an identical watch or steal

    • Well I would personally also prefer for you to touch you yubikey instead of whipping out your phone to take a picture of your ... personal thing...

    • If a 2FA device has some means of communication to the site that is authenticating, 2FA is trivial. Just like with Google, Blizzard, or Duo... when you log on, your phone pops up (login attempt detected... Allow/Deny), you hit "allow", and you are in.

      It would be nice if there were an open standard for this, with the site wanting authenticating storing a public key, and the 2FA device generating and storing a private key onboard. Right now, we have an open standard for shared secrets, but it would be nice

  • by cervesaebraciator ( 2352888 ) on Sunday October 29, 2017 @06:44PM (#55455019)

    the system doesn't restrict users and they can choose anything they want as their login trinket, from their watch to parts of their body

    Well, now we know what every guy will use.

  • by YukariHirai ( 2674609 ) on Sunday October 29, 2017 @06:50PM (#55455057)
    A low false accept rate is all well and good, but what's the false deny rate like? Also, I'm a bit dubious on tying authentication to a specific physical object. For all the problems with SMS 2FA, at least if something happens to my phone, I can replace it and it doesn't impact what I can and can't get into. If my authentication object gets lost or damaged, then what? "You can use a body part as your object," they say. Right, because nothing disfiguring can ever happen to those, they don't naturally change over time, and no-one's ever lost a body part.
    • by gl4ss ( 559668 )

      the actual problem is that at least from the blurb the "app" compares the images.

      that's right, the app itself. not the 2fa authority ? this would be a huge problem..

      • by Calydor ( 739835 )

        Either the app tests it, in which case just the encrypted confirmation to the server needs to be broken, or the app sends tons of images to the server - and considering how big the images are on some cell phones, and only getting bigger, that'll eat through your data plan pretty quickly. Imagine having to upload 10 MB (maybe multiple times due to bad lighting, shaking hand or the like) just to log into Facebook.

      • There's no good way of doing this. Either the app compares them, in which case it's basically a U2F token where instead of pressing a button (optionally a fingerprint reader) you take a photo, which is a step backwards in usability, or the server compares them, in which case anyone who takes a photo of the object can now log in remotely without access to the thing.
    • by kd3bj ( 733314 )

      The article gives a False Reject Rate of 4.25%, which I thought was annoyingly high. It seems they tuned their threshold to push down the false accept rate to 0.02% and just accepted the annoying FRR.

  • by gravewax ( 4772409 ) on Sunday October 29, 2017 @06:59PM (#55455099)
    This sounds like a completely brain dead idea. seriously how many objects around that people have with them everyday that you can guarantee are unique? not to mention the action of taking the photo basically reveals your 2FA to anyone in the vicinity.
    • by plopez ( 54068 )

      credit cards and drivers licenses come to mind :)

      • So basically something that is predictable, easily copied/faked and easily obtained from the user.
        • by plopez ( 54068 )

          No to mention uploading lots of personal information and spewing it across wifi on a regular basis ;)

      • credit cards and drivers licenses come to mind :)

        Just your wallet itself might be good enough.

      • by tsqr ( 808554 )

        credit cards and drivers licenses come to mind :)

        Both of these expire and get replaced periodically. And if a credit card is misplaced, the replacement has a new number.

    • My guess is that this is not for casual use. Does a phone need that level of security? If you're not the president, then no. If you store passwords to other accounts on your phone, then there are other security actions that should be taken before 2FA. Put the 2FA on your bank account, not your social media.

    • It's worth noting that this was published in Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies. This is a brand-new journal, so all submissions are likely to be either bad work that can't get published anywhere else, from people who are submitting some of their second-rate work to help the journal get established, or from people who are betting that it will become well-known later and so submit something there in the hope that they'll retroactively end up with a prestigiou

  • guess i have to pick something else. their leashes?
  • dildos

    their entire server is full of pictures of dildos
  • I have some questions about this.

    What happens if I lose the object or need to change the object I use for authentication? If I use my watch, what happens when I lose my watch or need to get a new watch for some reason? Can the picture be changed?

    If the authentication takes place locally, could malware be downloaded that defeats the authentication?

  • The summary states "a false accept rate below 0.09% in a brute force attack with 14.3 million authentication attempts."

    So, in that 14.3 million attempts, they still got in 12,870 times.

  • by Anonymous Coward

    In automated tests, Pixie achieved a false accept rate below 0.09% in a brute force attack with 14.3 million authentication attempts.

    14,300,000 x 0.09% = 12,870. How can it be said that a form of authentication is secure when it only requires less than 10,000 guesses before it flubs and accepts a false response.

  • by viperidaenz ( 2515578 ) on Sunday October 29, 2017 @07:46PM (#55455283)

    Their actual test says 4.5% false reject rate.
    They also say only 78% of people were able to successfully use their app to make an authentication.

    Needs some work.

  • Instantly made me think of Inception and the concept of a totem. So it's some personal trinket.

    In the absence of anything else good, I do like it. It's something you create (hopefully?), so I love that it has that aspect, so it should be as unique as you decide to be.

    It still has the disadvantage of being something someone else can take from you, or you can lose, but as one part of 2FA, having it taken shouldn't be much of an issue. Loss of the item really depends on how difficult it would be to replace.

  • ...Be sure it's not just for smartphones. Throw PC and laptop users a bone too, make it so we could use a webcam on our PC/laptop to 'see' the object for usage in 2FA. OK? Good idea.

  • "has a false accept rate of only 0.09%"

    So that's about a 1/1000 false accept rate against a brute force attack, which is comparable to some biometrics. This actually isn't very good. A determined attacker will not just send random pictures, but will send pictures that they think the target of the attack may have used. This results on a much higher false accept rate.

    Even 1/1000 is marginal enough that substantial rate limiting is going to be needed to keep the account secure. Compare that against the securit

  • by johannesg ( 664142 ) on Monday October 30, 2017 @01:47AM (#55456131)

    Like a blood sample. So every time you want to log in to funnycatpictures.com and post to its mighty forum, you just jab a needle in your vein for a second and let the analyser do its thing.

    Seriously, could they come up with any idea more stupid than this? It requires you to carry a specific object with you, and to never ever lose that object. The pattern matching must be fuzzy enough that the same object shown in different lighting, under different angles, etc. is still allowed, but strict enough that a similar object is not. And it must allow for differences in background as well.

    And of course your security is shot if any of your photos is captured. Or if another of your (public) photos accidentally reveals the item. So let's see: it must be something you always carry with you, yet isn't visible on any public photos. Your underwear, maybe? I can just see myself logging in in the local Starbucks...

  • Tits or GTFO!

  • how is this much better than using an authenticator or an extra password/sms?
    This is really one of the dumbest ideas I've heard.. So what do I do if I don't have the object near me? and do I have to photograph is everytime from the same angle?

    • by Whibla ( 210729 )

      William Gibson called, and Johnny Mnemonic wants his pictures back!

      But, speaking of pictures, how does the system deal with pictures of pictures? Keep picture of SO in wallet, use picture of picture as your key. Seems like this might have some potential tbh, especially if you're careful in how you frame the background (as a "3rd factor").

      Admittedly I can't see myself using it, way too much faff, and relies on my having my phone with me when I want to access w/e it is I'm trying to access. Can't think of muc

  • Just like iris scanners can be fooled with a picture of someone's eyes... betchya a picture of said object can be the key.
    • by kd3bj ( 733314 )

      They do liveness detection with iris (except in the movies) so quality iris biometric systems are _not_ fooled by a picture. This doesn't seem like a possible countermeasure with an inanimate trinket.

  • Use a picture of your wristwatch and only you will know what two times of day you can log in! Mwaahaha.
  • This allows services to learn more about your smart phone and, potentially, your surroundings.

You don't have to know how the computer works, just how to work the computer.

Working...