We introduce Pixie, a novel, camera based two factor authentication solutionfor mobile and wearable devices. A quick and familiar user action of snapping aphoto is sufficient for Pixie to simultaneously perform a graphical passwordauthentication and a physical token based authentication, yet it does notrequire any expensive, uncommon hardware. Pixie establishes trust based on boththe knowledge and possession of an arbitrary physical object readily accessibleto the user, called trinket. Users choose their trinkets similar to setting apassword, and authenticate by presenting the same trinket to the camera. Thefact that the object is the trinket, is secret to the user. Pixie extractsrobust, novel features from trinket images, and leverages a supervised learningclassifier to effectively address inconsistencies between images of the sametrinket captured in different circumstances. Pixie achieved a false accept rate below 0.09% in a brute force attack with14.3 million authentication attempts, generated with 40,000 trinket images thatwe captured and collected from public datasets. We identify master images, thatmatch multiple trinkets, and study techniques to reduce their impact. In a user study with 42 participants over 8 days in 3 sessions we found thatPixie outperforms text based passwords on memorability, speed, and userpreference. Furthermore, Pixie was easily discoverable by new users andaccurate under field use. Users were able to remember their trinkets 2 and 7days after registering them, without any practice between the 3 test dates.
展开▼