Full Program »
A Secure Mobile Authentication Alternative to Biometrics
Biometrics are widely used for authentication in consumer devices and business settings as they provide sufficiently strong security, instant verification and convenience for users. However, biometrics are hard to keep secret, stolen biometrics pose lifelong security risks to users as they cannot be reset and re-issued, and transactions authenticated by biometrics across different systems are linkable and traceable back to the individual identity. In addition, their cost-benefit analysis does not include personal implications to users, who are least prepared for the imminent negative outcomes, and are not often given equally convenient alternative authentication options.
We introduce ai.lock, a mobile authentication method which uses an imaging sensor to reliably extract authentication credentials similar to biometrics. ai.lock moves the source of information from the user to an externality, as it does not require a visual of the user's body, but that of a personal accessory, object, or scene that the user can recreate at authentication time. ai.lock improves on biometrics by freeing users from personal harm, providing plausible deniability, allowing multiple keys, and making revocation and change of secret simple.
Despite lacking the regularities of biometric image features, we show that ai.lock consistently extracts features across authentication attempts from general user captured images, to reconstruct credentials that can match and exceed the security of biometrics (EER = 0.71%). ai.lock only stores a "hash" of the secret object's image. We measure the security of ai.lock against brute force attacks on more than 3.5 billion authentication instances built from more than 250,000 images of real objects, and 100,000 synthetically generated images using a generative adversarial network trained on object images. We show that the ai.lock Shannon entropy is superior to a fingerprint based authentication built into popular mobile devices.