Pixie: Secure Camera Based Two Factor Authentication (2FA)
In this project we investigate mobile authentication alternatives to text-based passwords, PINs and biometrics. We introduced Pixie, a novel, camera based two factor authentication solution for mobile and wearable devices. Pixie leverages the quick and familiar user action of snapping a photo to simultaneously perform a graphical password authentication and a physical token based authentication. Pixie establishes trust based on both the knowledge and possession of an arbitrary physical object readily accessible to the user, called trinket. Just like setting a password, the user picks a readily accessible trinket of her preference, e.g., a clothing accessory, a book, or a desk toy, then uses the device camera to snap trinket images (a.k.a., reference images). All the user needs to do to authenticate is to point the camera to the trinket. If the captured candidate image matches the reference images, the authentication succeeds. For a quick illustration, see the following video.
Unlike other token based authentication methods, Pixie does not require expensive, uncommon hardware to act as the second factor; that duty is assigned to the physical trinket, and the mobile device in Pixie is the primary device through which the user authenticates. Pixie only requires the authentication device to have a camera, making authentication convenient even for wearable devices such as smartphones and smartwatches. Pixie also improves on biometrics, by freeing users from personal harm, providing plausible deniability, allowing multiple keys, and making revocation and change of secret simple.
We further introduced ai.lock, a practical, secure and efficient image based authentication system that converts general mobile device captured images into biometric-like structures. ai.lock enables us to provide secure authentication and storage of Pixie credentials that is resilient even to adversaries who capture the authentication device or get their hands on the password file stored by the remote server.