Researchers Devise 2FA System That Relies On Taking Photos of Ordinary Objects (bleepingcomputer.com) 138
An anonymous reader quotes Bleeping Computer: Scientists from Florida International University and Bloomberg have created a custom two-factor authentication (2FA) system that relies on users taking a photo of a personal object. The act of taking the photo comes to replace the cumbersome process of using crypto-based hardware security keys (e.g., YubiKey devices) or entering verification codes received via SMS or voice call. The new system is named Pixie, and researchers argue it is more secure than the aforementioned solutions.
Pixie works by requiring users to choose an object as their 2FA key. When they set up the Pixie 2FA protection, they take an initial photo of the object that will be used for reference. Every time users try to log into their account again, they re-take a photo of the same object, and an app installed on their phone compares the two photos... In automated tests, Pixie achieved a false accept rate below 0.09% in a brute force attack with 14.3 million authentication attempts. An Android app is available for testing here.
Pixie works by requiring users to choose an object as their 2FA key. When they set up the Pixie 2FA protection, they take an initial photo of the object that will be used for reference. Every time users try to log into their account again, they re-take a photo of the same object, and an app installed on their phone compares the two photos... In automated tests, Pixie achieved a false accept rate below 0.09% in a brute force attack with 14.3 million authentication attempts. An Android app is available for testing here.
cumbersome process of using crypto-based hardware (Score:5, Interesting)
I go on the website I like and press a button on my yubikey, that seems easier then whipping out my phone and taking a picture every time...
Probably why I setup my yubikey to also take care of my Steam login (instead of whipping out my phone).
Re:cumbersome process of using crypto-based hardwa (Score:5, Insightful)
Not to mention that, whatever the object is, you’ve got to have it with you at all times - so pick carefully!
Re:cumbersome process of using crypto-based hardwa (Score:5, Funny)
Not to mention that, whatever the object is, you’ve got to have it with you at all times - so pick carefully!
Right, perhaps a picture of your face or fingerprint, for example.
Re:cumbersome process of using crypto-based hardwa (Score:5, Funny)
Wish I’d thought of that - I used my pet Boa Constrictor.
Re:cumbersome process of using crypto-based hardwa (Score:5, Funny)
Yeh, me too. Now I've been arrested for indecent exposure.
Re: (Score:1)
Right, perhaps a picture of your face or fingerprint, for example.
Yeah, because no one could ever get a picture of my face or my fingerprint. It's just totally impossible.
Re: (Score:1)
Wooosh....!
Re: (Score:1)
I'd photo my pee pee, but I like to swim a lot and there's some shrinkage.
Re: (Score:1)
Just take a picture of your phone.
Re: cumbersome process of using crypto-based hardw (Score:3, Funny)
But then you would have to carry another phone to take a phone picture of your phone.
Better yet, a mirror is less expensive, take a phone picture of your own phone.
But what if others discover you authenticate with a phone picture of your phone? They could take a phony phone picture of a phone and blast! Phoned again!
Phones!
Re:cumbersome process of using crypto-based hardwa (Score:4, Insightful)
Not to mention that, whatever the object is, you’ve got to have it with you at all times - so pick carefully!
This was the first thing that popped into my mind...what magical object must I always have available that isn't susceptible to being lost or stolen? And the answer is ....nothing.
If the object is always available to be photographed, it must always be with you, no? And if it's always with you then it could get lost or stolen.
I don't see how this is a solution to anything, frankly.
Re: (Score:2)
I only have one hand, you insensitive clod!
Re: (Score:2)
Even worse, if someone sees you take a picture of, say, that particular keychain doll you have, they can go onto amazon and order the same item.
Re: (Score:3)
Or if someone compromises an app on your phone with camera permission (or simply persuades you that this free game that you want to play needs camera permission) and takes a photo, they can then use the same photo.
I'm too lazy to RTFA, but the description in TFS is a bit confusing: are the photos really compared on the phone? If so, how do they communicate with the server, do they just speak the U2F protocol? If so, they've just replaced a button with the need to take a photo, which doesn't sound like mu
Re: (Score:2)
This was the first thing that popped into my mind...what magical object must I always have available that isn't susceptible to being lost or stolen? And the answer is ....nothing.
I can see a bunch of problems with this idea, but I don't think what you're saying is a serious problem. Any authentication method that's "something you have" has the danger of being lost or stolen. I carry my keys, wallet, and cell phone with me everywhere, and I've never had any of those things get lost or stolen. Admittedly, I may just be lucky that I never ran into a good pick-poket, but still, those things don't get lost or stolen every day.
Re: (Score:2)
Any authentication method that's "something you have" has the danger of being lost or stolen.
Yes, that's exactly my point.
I carry my keys, wallet, and cell phone with me everywhere, and I've never had any of those things get lost or stolen. Admittedly, I may just be lucky that I never ran into a good pick-poket, but still, those things don't get lost or stolen every day.
Yes, they do.
You're lucky and/or careful. Thousands of people lose one (or more) of those things every single day. Have you ever seen the lost cellphone bin at an airport? It's a highly-controlled environment and yet thousands of people lose their phone, keys, wallet, passport, etc in airports all the damn time.
Re: (Score:2)
those things don't get lost or stolen every day.
Yes, they do.
My point is, it doesn't happen to any particular person every day. If you're losing your wallet and keys every day, then you're going to have all sorts of problems.
Re: (Score:2)
My point is, it doesn't happen to any particular person every day.
Be real- you only have to lose any of these things once for it to be a problem, even more so if they serve as a login validator.
Re: (Score:2)
Sure, it's a problem, but that doesn't mean it's a disqualifying problem. People lose their keys sometimes, but that doesn't lead us to say, "Well we can't use keys anymore!" People's wallets gat stolen sometimes, but they're still generally a decent solution to a problem. People forget passwords, passwords get compromised, but we still use them.
There are going to be problems and flaws with every security scheme, but the purpose of security is not to be perfect. If you set out to create a security sche
Re: (Score:2)
Sure, it's a problem, but that doesn't mean it's a disqualifying problem.
Then feel free to participate as enthusiastically as you like. I'll pass.
Re: (Score:2)
Re: (Score:2)
Disregard any security measures that don't offer perfect security. See how far that gets you.
Don't put words in my mouth, you petulant little asswipe.
Re: (Score:2)
Have any unique tattoos? (preferably w/out having to take your shirt or pants off?)
Re: (Score:2)
Have any unique tattoos? (preferably w/out having to take your shirt or pants off?)
Nope, and I don't plan on getting any.
Re: (Score:2)
Like, say, the RSA token I carry for 2FA?
Re:cumbersome process of using crypto-based hardwa (Score:4, Funny)
Use a photo of your Yubikey!
Re: (Score:1)
You could use a picture of your phone! You have that with you all the time!
Oh wait...
Re: (Score:2)
Also, the object could get stolen, or you could break it and it might get damaged in such a way that it no longer registered.
Plus, it's a bit conspicuous to take a picture of something, so other people are going to figure out what your token is. Once I know you're using your watch as your token, could I buy an identical watch and spoof it? Could I use a picture of your watch instead of the actual watch? Could I just use a picture of the same watch model, without having to buy an identical watch or steal
Re: (Score:1)
No, better pick something that has the same shape regardless of temperature.
Re: (Score:2)
Well I would personally also prefer for you to touch you yubikey instead of whipping out your phone to take a picture of your ... personal thing...
Re: (Score:2)
If a 2FA device has some means of communication to the site that is authenticating, 2FA is trivial. Just like with Google, Blizzard, or Duo... when you log on, your phone pops up (login attempt detected... Allow/Deny), you hit "allow", and you are in.
It would be nice if there were an open standard for this, with the site wanting authenticating storing a public key, and the 2FA device generating and storing a private key onboard. Right now, we have an open standard for shared secrets, but it would be nice
Re: (Score:2, Funny)
free willy !
Parts of the body? (Score:5, Funny)
Well, now we know what every guy will use.
Re:Parts of the body? (Score:5, Funny)
Siri: "Sorry, that object is too small to use for identification purposes."
Re: (Score:2, Redundant)
That's what I'll be using. But only if the algorithm can handle pictures that must be taken in panoramic mode.
Re: (Score:3)
Re: (Score:2)
Cold days may be a problem too...
If you try to authenticate outside in public that might be the least of your problems...
Re: (Score:2)
Re: (Score:2)
Too many pictures of that out on the Internets already.
Re: (Score:2)
Well, now we know what every guy will use.
Just make sure you don't misplace it [youtube.com].
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Well, now we know what every guy will use.
Now I need to get an erection every time I want to log in
Re: (Score:2)
Interesting, but... (Score:3)
Re: (Score:3)
the actual problem is that at least from the blurb the "app" compares the images.
that's right, the app itself. not the 2fa authority ? this would be a huge problem..
Re: (Score:2)
Either the app tests it, in which case just the encrypted confirmation to the server needs to be broken, or the app sends tons of images to the server - and considering how big the images are on some cell phones, and only getting bigger, that'll eat through your data plan pretty quickly. Imagine having to upload 10 MB (maybe multiple times due to bad lighting, shaking hand or the like) just to log into Facebook.
Re: (Score:2)
Re: (Score:1)
The article gives a False Reject Rate of 4.25%, which I thought was annoyingly high. It seems they tuned their threshold to push down the false accept rate to 0.02% and just accepted the annoying FRR.
someone must have shit this out while drunk (Score:5, Insightful)
Re: (Score:2)
credit cards and drivers licenses come to mind :)
Re: (Score:2)
Re: (Score:2)
No to mention uploading lots of personal information and spewing it across wifi on a regular basis ;)
Re: (Score:2)
credit cards and drivers licenses come to mind :)
Just your wallet itself might be good enough.
Re: (Score:3)
I'd have to get me wife to let me borrow it from time to time. ;)
Re: (Score:2)
credit cards and drivers licenses come to mind :)
Both of these expire and get replaced periodically. And if a credit card is misplaced, the replacement has a new number.
Re: (Score:2)
My guess is that this is not for casual use. Does a phone need that level of security? If you're not the president, then no. If you store passwords to other accounts on your phone, then there are other security actions that should be taken before 2FA. Put the 2FA on your bank account, not your social media.
Re: (Score:2)
I don't have a mother so good luck with that Mr Hacker.
Re: (Score:2)
It's worth noting that this was published in Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies. This is a brand-new journal, so all submissions are likely to be either bad work that can't get published anywhere else, from people who are submitting some of their second-rate work to help the journal get established, or from people who are betting that it will become well-known later and so submit something there in the hope that they'll retroactively end up with a prestigiou
Re: (Score:2)
my dogs are not ordinary (Score:2)
"a personal object" (Score:2)
their entire server is full of pictures of dildos
Re: (Score:2)
Re: (Score:2)
Hey look! Pictures of my junk [uwyoming.org].
Re: (Score:2)
Re: (Score:1)
Indeed. The objects shown in the illustrations aren't secret, and aren't unique. If you're calling the object "something you have" and the camera angle "something you know", anyone with the same watch (for example) satisfies the first of those.
Re: (Score:2)
I am a horse with a staple who knows a correct battery when he sees one.
Two Questions (Score:2)
I have some questions about this.
What happens if I lose the object or need to change the object I use for authentication? If I use my watch, what happens when I lose my watch or need to get a new watch for some reason? Can the picture be changed?
If the authentication takes place locally, could malware be downloaded that defeats the authentication?
The numbers don'r stack up (Score:2)
The summary states "a false accept rate below 0.09% in a brute force attack with 14.3 million authentication attempts."
So, in that 14.3 million attempts, they still got in 12,870 times.
Uh (Score:1)
In automated tests, Pixie achieved a false accept rate below 0.09% in a brute force attack with 14.3 million authentication attempts.
14,300,000 x 0.09% = 12,870. How can it be said that a form of authentication is secure when it only requires less than 10,000 guesses before it flubs and accepts a false response.
only 0.09% false positive. (Score:3)
Their actual test says 4.5% false reject rate.
They also say only 78% of people were able to successfully use their app to make an authentication.
Needs some work.
I like it (Score:2)
Instantly made me think of Inception and the concept of a totem. So it's some personal trinket.
In the absence of anything else good, I do like it. It's something you create (hopefully?), so I love that it has that aspect, so it should be as unique as you decide to be.
It still has the disadvantage of being something someone else can take from you, or you can lose, but as one part of 2FA, having it taken shouldn't be much of an issue. Loss of the item really depends on how difficult it would be to replace.
If you want this to catch on (Score:2)
...Be sure it's not just for smartphones. Throw PC and laptop users a bone too, make it so we could use a webcam on our PC/laptop to 'see' the object for usage in 2FA. OK? Good idea.
False accept rate (Score:1)
"has a false accept rate of only 0.09%"
So that's about a 1/1000 false accept rate against a brute force attack, which is comparable to some biometrics. This actually isn't very good. A determined attacker will not just send random pictures, but will send pictures that they think the target of the attack may have used. This results on a much higher false accept rate.
Even 1/1000 is marginal enough that substantial rate limiting is going to be needed to keep the account secure. Compare that against the securit
Meh. They should use something truly unique (Score:3)
Like a blood sample. So every time you want to log in to funnycatpictures.com and post to its mighty forum, you just jab a needle in your vein for a second and let the analyser do its thing.
Seriously, could they come up with any idea more stupid than this? It requires you to carry a specific object with you, and to never ever lose that object. The pattern matching must be fuzzy enough that the same object shown in different lighting, under different angles, etc. is still allowed, but strict enough that a similar object is not. And it must allow for differences in background as well.
And of course your security is shot if any of your photos is captured. Or if another of your (public) photos accidentally reveals the item. So let's see: it must be something you always carry with you, yet isn't visible on any public photos. Your underwear, maybe? I can just see myself logging in in the local Starbucks...
Ob (Score:2)
Tits or GTFO!
really? (Score:2)
how is this much better than using an authenticator or an extra password/sms?
This is really one of the dumbest ideas I've heard.. So what do I do if I don't have the object near me? and do I have to photograph is everytime from the same angle?
Re: (Score:2)
William Gibson called, and Johnny Mnemonic wants his pictures back!
But, speaking of pictures, how does the system deal with pictures of pictures? Keep picture of SO in wallet, use picture of picture as your key. Seems like this might have some potential tbh, especially if you're careful in how you frame the background (as a "3rd factor").
Admittedly I can't see myself using it, way too much faff, and relies on my having my phone with me when I want to access w/e it is I'm trying to access. Can't think of muc
Bet you can fool this (Score:2)
Re: (Score:1)
They do liveness detection with iris (except in the movies) so quality iris biometric systems are _not_ fooled by a picture. This doesn't seem like a possible countermeasure with an inanimate trinket.
Time (Score:2)
privacy (Score:1)
Re: (Score:1)
Hair today, gone tomorrow.
Re: (Score:2)