2023 Author: Bryan Walter | [email protected]. Last modified: 2023-05-21 22:24
Usually, two-factor authentication uses codes sent to a smartphone, or special devices - tokens. Researchers from Florida International University and Bloomberg L. P. showed that any items can be used as tokens. For example, a user can, using an application developed by them, turn his watch into a token by taking it off with a smartphone camera, while the reliability of this method is more than 99.9 percent. The development was presented at the IMWUT conference.
Typically, a combination of username and password is used to securely access a device or Internet services. This is quite convenient, but if a user has a weak password, it will not be difficult for intruders to gain access to his account. Because of this, many services support multi-factor authentication. With this authentication scheme, in addition to the password, other proofs are used that prove that it is the owner of the account and not the attacker, for example, one-time codes sent via SMS or USB-token, which is physically at the user's disposal.
American researchers decided to simplify the authentication technology using tokens and created the Pixie application, which allows using any items instead of specialized tokens. The development is based on the OpenCV open image recognition library, as well as the Weka data analysis and machine learning program. Since objects with a flat surface have a small amount of recognizable details, and the user can also take pictures of the subject in poor light or in motion, the developers have trained an algorithm to automatically identify "bad" photographs.
Authentication scheme
To create a token, the user must take a photo of it with a camera in the application, and in the future the program will recognize this object as an analogue of an authentication token. The main convenience of the system is that the user can choose as a token an item that is used every day - for example, his wristwatch or jewelry.
The researchers tested the system on the MyFIU portal, which contains class schedules and other information for Florida International University students. 42 students took part in the testing over several days, who were asked to log in to their account not only using a combination of username and password, but also using a new application. According to the test results, the volunteers were interviewed, and it turned out that the memorability of the key (text password or token), the speed of authentication and general preferences were higher for the new method.
Application interface and steps for token creation and authentication
To check the reliability, the developers tested the system on a dataset consisting of images of 40 thousand objects. The total number of authentication attempts was 14.3 million times. The share of false positives was 0.09 percent. Despite successful trials, researchers have no plans to commercialize this technology yet.
Recently, scientists from Hong Kong have proposed using the analysis of the user's lip movement when pronouncing a password for protection. And other researchers have proposed an unusual way to securely transfer passwords. To do this, they decided to use signals from fingerprint scanners, which generate signals that quickly dissipate in the air, but are well transmitted by the human body.
