Camera-based, single-step two-factor authentication resilient to pictionary, shoulder surfing attacks

A group of researchers from Florida International University and Bloomberg LP have created Pixie, a camera-based two-factor authentication system that could end up being a good alternative to passwords and biometrics-based 2FA options.

About Pixie

“Pixie authentication is based on what the user has (the trinket) and what the user knows (the particular trinket among all the other objects that the user readily has access to, angle and viewpoint used to register the trinket),” the researchers explained. “Pixie assigns the duty of storing the token for the second factor to a physical object outside the mobile device.”

It combines the user’s secret and the second authentication factor, and the authentication is performed in a single step: with snapping a photo of the trinket.

The trinket can be any item worn or carried everyday by the user – a watch, shoes, jewelry, shirt patterns, credit cards, logos, a piece of jewelry, a tattoo, and so on. The user doesn’t have to use the whole item as the trinket, just a portion of it (e.g. a section of their shoes, a shirt pattern).

single-step two-factor authentication

“In contrast to biometrics, Pixie enables users to change the authenticating physical factor, as they change accessories they wear or carry. This reduces the risks from an adversary who has acquired the authentication secret from having lifelong consequences for the victims, thereby mitigating the need for biometric traceability and revocation,” the researchers noted.

Testing the solution

The researchers performed a user study to see whether users would find this solution usable and helpful. Granted, the number of participants was small (42), but it showed that users had less trouble memorizing their trinket than their passwords, and half of them preferred it to passwords.

single-step two-factor authentication

As far as authentication speed, accuracy and resilience to attack are concerned, Pixie definitely looks promising.

They implemented Pixie for Android on a HTC One smartphone, and found it processes a login attempt in half a second. The solution also achieves a False Accept Rate of 0.02% and a False Reject Rate of 4.25%, when evaluated over 122,500 authentication instances.

“To evaluate the security of Pixie, we introduce several image based attacks, including an image based dictionary (or “pictionary”) attack. Pixie achieves a FAR below 0.09% on such an attack consisting of 14.3 million authentication attempts constructed using public trinket image datasets and images that we collected online,” they shared.

“Similar to face based authentication, Pixie is vulnerable to attacks where the adversary captures a picture of the trinket. However, we show that Pixie is resilient to a shoulder surfing attack flavor where the adversary knows or guesses the victim’s trinket object type. Specifically, on a targeted attack dataset of 7,853 images, the average number of ‘trials until success’ exceeds 5,500 irrespective of whether the adversary knows the trinket type or not.”

They’ve also developed features that enable the solution to reduce the effectiveness of a “master image” attack.

Potential use

Pixie can be used both as a standalone authentication solution and as a secondary one.

According to the researchers, it could be ideal for remote service authentication through a mobile device scenario, but could also be used for authentication in camera-equipped cyber-physical systems.

“For instance, cars can use Pixie to authenticate their drivers locally and to remote services. Pixie can also authenticate users to remote, smart house or child monitoring systems, through their wearable devices. Further, door locks, PIN pads and fingerprint readers can be replaced with a camera through which users snap a photo of their trinket to authenticate,” they noted.

“Pixie can be used as an alternative to face based authentication when the users are reluctant to provide their biometric information (e.g. in home game systems where the user needs to authenticate to pick a profile before playing or to unlock certain functionalities). Pixie can also be used as an automatic access control checkpoint (e.g. for accessing privileged parts of a building). The users can print a visual token and use it to pass Pixie access control checkpoints.”

There are, of course, authentication scenarios where Pixie would not be a good options, such as authentication in poor light conditions, or a high risk associated with external observers.

The researchers have published Pixie (open source) code on GitHub, and an Android app on Google Play.