Two-Factor Authentication Codes Could Get Replaced by Physical Objects, Study Finds
What if you could use a charm bracelet or a water bottle as your secret password? Researchers at the Florida International University and Bloomberg created a camera-based remote authentication solution to help you do just that on any mobile device.
The solution is called Pixie. To use it, you first pick a secret physical object like a book or a paperweight and take photos of it with a mobile device, creating reference photos. Then, each time you want to use two-factor authentication, you just hold up your trinket to the camera. Pixie is coded to warn you if the images you’ve taken are low quality, but some leeway is programmed in, so that if you unlock your phone in different lighting or take the photo at another angle, it will still recognize your object.
Like YubiKeys, Pixie lets you use physical tokens to authenticate your logins, but unlike the keys — which you insert into a USB port and have to order online for anywhere from $18 to $500 — Pixie is claiming you’ll be able to authenticate with any old object, without purchasing any additional hardware. If the research project ever goes live, you might be able to use a water bottle or a pack of gum you happened to have on hand to authenticate.
The study says you can potentially use Pixie on any device with a camera, including older mobile devices, smartwatches, and Snapchat Spectacles. According to the paper’s findings, people found using a physical token easier than recalling and entering a text password, but slower and less accurate than facial recognition, since the physical objects people choose are more diverse than the shape of human eyes and faces. Pixie was tested on Android using assorted objects, including a tattoo, a watch, and a keychain.
Using physical objects as authenticators also has a slight advantage over using human biometrics, since users can easily change their chosen objects, but would have a harder time changing their physical features. And on the off chance someone is spying over your shoulder for what object you’re using? The experts tested how secure Pixie was against a brute force attack with 14.3 million authentication attempts, and found that in 0.09 percent of all instances, Pixie would unlock for an attacker. Even if the attacker knew what object to use, the rate of success remained low.
Although the researchers don’t have plans to bring Pixie to the market, the project is a proof-of-concept, showing how physical objects could be a feasible way to use two-factor authentication. The study concludes that with more advanced image processing techniques like using deep neural networks, Pixie could become even easier to use.