back to article Your shoe, chewing gum, or ciggies are now your extra password

Computer researchers at Florida International University and Bloomberg have come up with an alternative to crypto baubles like YubiKeys for two-factor authentication. It's not that there's anything wrong with YubiKeys and similar login tokens, apart from the occasional security blunder. But they can be a potential faff for non …

  1. Neil Barnes Silver badge

    I lost track somewhere

    Is this software saying photograph a trinket, and then requiring a further view of that trinket to identify you? Or showing you a number of random trinkets and saying which one is yours?

    Neither seems spectacularly helpful: the first requires you to have the trinket to hand for all future login attempts (ok for a tattoo I suppose) while the second doesn't seem to offer great numbers of choices.

    Or am I just confused? It's early...

    1. macjules

      Re: I lost track somewhere

      You take and upload a picture of your watch, selfie, shoes or something that you will always be able to use as a reference. Then when you need to run Two Factor Authentication you simply take a picture of the same item and if it matches then you are authenticated. Note that dick shots are not going to be easy to use when you need to check your bank balance in the middle of an airport.

      FTFY.

      1. VinceH

        Re: I lost track somewhere

        So when you see someone taking a picture of their left shoe (or whatever) you know now that when you mug them and steal their phone, you also need to steal their shoe.

        Or if they're taking a picture of something less practical to steal, such as their right ear (the 2FA image may include the surrounding hair, so just lopping it off won't be good enough), take a photo of it with your own phone while you're mugging them. You can then show the picture to their phone.

        Yup. This is a really good idea, and completely without any potential flaws. Sign me up.

        1. DropBear

          Re: I lost track somewhere

          Dumbest idea in a long time. Is this a side-effect of doing too much "disrupting"? After the third time you log into whatever even the hotdog seller on the other end of the street is going to be keenly aware you're using your watch to authenticate (nothing else will really be guaranteed to be always at hand so that's what you're going to use). Especially after you took the third shot of it in a row because the software doesn't quite like the angle you held it at. Or the different shirt sleeve you're wearing right next to it today. I kinda prefer my "something you have" items to be universally unique anyway, literally, so no thanks.

        2. PatientOne

          Re: I lost track somewhere

          "take a photo of it with your own phone while you're mugging them. You can then show the picture to their phone."

          The article mentions picking which bit of the picture is used to authenticate: That suggests just having a picture, or the item, isn't enough.

          It's still a stupid idea, of cause: What if someone has stolen your watch, or you've just lost it? Or you simply don't have it on you that day? Yes, other 2FA's can suffer from the same problem and potentially worse ones (battery's run out on the dongle, your phone's got locked, someone hacked your e-mail account and locked you out and so on), but you can get most of those things sorted without resorting to the failsafe option (one use password to bypass the 2FA, then a 2FA removal password to remove the option before creating a new one as an example).

          That won't stop people from loving the idea, however - at least until they've lost the item they used.

          1. Charles 9

            Re: I lost track somewhere

            So use something you're nigh-guaranteed to have. A watch is generally good because it's tricky to nick something so close to one's person. Me? I'd flip it off.

  2. FuzzyWuzzys
    Facepalm

    "Oh dammit, I left my 'password shirt' at home now I can't get my shopping done!"

  3. Anonymous Coward
    Anonymous Coward

    my cat is chipped for identification

    put chips in people and your hardware key is present.

    ie put false nails on your fingers with RFID

  4. martino

    I don't have an object that I keep on my person at all times, but I do have a pattern of lines on my fingertips, that seem to be pretty unique. If I took a picture of those and used that as my "trinket", would that work?

    1. DropBear
      Trollface

      Sure, but how do you change it once it's compromised because you keep leaving an image of it on literally everything you touch...?

  5. Anonymous Coward
    Anonymous Coward

    Only one choice to make for my 2FA trinket, flaccid or erect? Now that is secure, I've already done the penetration testing.

    1. DropBear
      Trollface

      This is 2.0 with enhanced security - you need to enter your password in Morse code, erect is dash, flaccid is dot - now get to work!

  6. Anonymous Coward
    Anonymous Coward

    Does it have to be a solo effort or can I get someone to give me a hand?

    1. Fat-Boy-R-Dee
      Coat

      Now that's job creation!

    2. Anonymous Coward
      Anonymous Coward

      I think you'd need to assistants, one to get it erect, and one to reverse the process...

      1. Fruit and Nutcase Silver badge
        Paris Hilton

        @AC

        I think you'd need to assistants, one to get it erect, and one to reverse the process...

        dash - Paris, naturally

      2. Anonymous Coward
        Anonymous Coward

        "reverse the process"

        Do you mean backdoor it?

  7. Fat-Boy-R-Dee
    Facepalm

    More keys = more SPOFs

    So, if I'm interpreting the article correctly, you would need both your phone (maybe another with the app?*) and your photographed item for this to work.

    There's now three potential SPOFs - you forget your password, you lose your phone, or you don't have the magic item in question. Will it become like a smart captcha where 8 out of 11 factors gets you in?

    If this ever becomes an implemented scheme where I work/shop, I know what my magic item's gonna be:

    http://stvmcqueen.tripod.com/salute.jpg

    * Which leads to all kind of hack-written (sorry, no pun intended) spy movie scenes ... "my voice is my passport, verify me" ...

    1. Charles 9

      Re: More keys = more SPOFs

      Ever thought that's what you WANT since losing any one could mean you're already compromised? Better to fail safe, IOW?

  8. Allan George Dyer

    Do people keep gum packs for longer than it takes to consume the contents?

    "Honey, I cleaned the rubbish out of your jacket pockets"

    "Noooo!! Now I can't login!"

    1. Mr Templedene

      No, but people do habitually chew the same gum, or smoke the same brand of cigarettes, etc.

      Bit awkward when the packaging changes, or in the UK where every pack of cigs looks the same apart from the gruesome spoiler image, but you get the idea.

  9. Steve the Cynic
    Joke

    "What else could be used to prove your identity along with a pass phrase that's easy to use and carried around with you? It's right under your nose."

    What? I have to grow a moustache?

  10. Anonymous Coward
    Anonymous Coward

    And a picture of a women in gym kit is relevant... how?

    1. Fruit and Nutcase Silver badge
      Coat

      @AC

      And a picture of a women in gym kit is relevant... how?

      You must be new here

  11. Anonymous Coward
    Anonymous Coward

    Are they called researchers because they'll need to search again and a bit harder to find a good idea?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like