As passwords continue to be a problem in today’s modern world, one group of computer researchers is taking a new approach to protecting the web. Researchers from Florida International University and Bloomberg have developed a two-factor authentication solution that depends on physical objects rather than code.

We use passwords to unlock sensitive information such as email, bank accounts, and other online accounts; and we hold this sensitive information on our mobile devices. However, despite the importance of passwords, users still reuse their easy-to-guess passwords. To add an additional security layer, websites have adopted two-factor authentication. Two-factor authentication requires users to prove their identity using two types of components. Typically this involves their password, and a unique code sent to them via email or text.

“A secure and practical experience for user authentication in such devices is challenging, as their small form factor, especially for wearables, complicates the input of the commonly used text based passwords, even when the memorability of passwords already poses a significant burden for users trying to access a multitude of services. While the small form factor of mobile and wearable devices makes biometric authentication solutions seemingly ideal, their reliance on sensitive, hard to change user information introduces important privacy and security issues of massive scale,” the researchers wrote in a report.

The researchers developed Pixie to take authentication one set further. Pixie is a camera-based two-factor authentication solution designed for mobile and wearable devices.

“A quick and familiar user action of snapping a photo is sufficient for Pixie to simultaneously perform a graphical password authentication and a physical token-based authentication, yet it does not require any expensive, uncommon hardware. Pixie establishes trust based on both the knowledge and possession of an arbitrary physical object readily accessible to the user, called trinket. Users choose their trinkets similar to settŠing a password, and authenticate by presenting the same trinket to the camera,” according to the researchers. “ŒThe fact that the object is the trinket, is secret to the user. Pixie extracts robust, novel features from trinket images, and leverages a supervised learning classifier to effectively address inconsistencies between images of the same trinket captured in different circumstances.”

The researchers conducted a user study that consisted of 42 participates over eight days. The study revealed Pixie outperformed text-based passwords based on memory, speed and preference. In addition, users were able to remember trinkets within the eight days.

The researchers found “Pixie achieved a false accept rate below 0.09% in a brute force attack with 14.3 million authentication attempts, generated with 40,000 trinket images that we captured and collected from public datasets.”

The researchers say their approach to authentication can also be used in cars, smart houses, child monitoring systems, home game systems and to access privileged parts of a building.

About Christina Cardoza

Christina Cardoza, formerly known as Christina Mulligan, is the Online & Social Media Editor of SD Times. She covers agile, DevOps, AI, machine learning, mixed reality and software security. Follow her on Twitter at @chriscatdoza!