Pixie Two-Factor Authentication: Photos of Random Objects Instead of SMS
It’s well known that SMS messages have long been considered an unreliable method for two-factor authentication. Back in 2016, the National Institute of Standards and Technology (NIST) in the United States released an important document stating that the use of SMS messages for two-factor authentication would no longer be encouraged in the future. NIST experts even called this practice “unacceptable” and “unsafe.”
The most common alternatives to SMS messages and voice calls today are hardware tokens, such as the well-known YubiKey. However, experts from Florida International University, together with Bloomberg, have introduced another interesting alternative: the Pixie system. The developers claim that Pixie is even more secure than hardware solutions.
How Pixie Works
Pixie is extremely simple to use. The user needs to choose an object, which will serve as the “key” for two-factor authentication. Pixie then asks the user to take several photos of the chosen object. After that, whenever the user needs to log in somewhere, they must take another photo of the key object, which Pixie will compare to the previous ones.
The developers explain that only the user knows what the key object is, making it nearly impossible to compromise the two-factor authentication process. There’s no way to bypass it by intercepting SMS messages or exploiting vulnerabilities in the SS7 protocol. Additionally, the user can make any object the “key,” use a photo from a specific angle, or photograph a particular part of the object.
Security and Privacy
Pixie demonstrates an extremely low rate of false positives. Out of 14.3 million brute-force attempts, false positives occurred in only 0.09% of cases. Another definite advantage is that Pixie does not transmit user data to remote servers; all authentication processes take place directly on the user’s device.
Availability
Although Pixie is still under development, anyone interested can already try out the application by downloading it from the GitHub repository.