A Secure Mobile Authentication Alternative to Biometrics

TL;DR

ai.lock is a novel image-based authentication method for mobile devices that offers comparable security to biometrics without the privacy and security risks, using object images as secret credentials.

Contribution

This paper introduces ai.lock, a secure, secret image-based authentication system that surpasses biometric security and addresses privacy concerns in mobile device authentication.

Findings

ai.lock achieves an EER of 0.71%, comparable to biometric systems.

It is secure against brute force attacks on over 3.5 billion instances.

Shannon entropy of ai.lock exceeds that of fingerprint-based authentication.

Abstract

Biometrics are widely used for authentication in consumer devices and business settings as they provide sufficiently strong security, instant verification and convenience for users. However, biometrics are hard to keep secret, stolen biometrics pose lifelong security risks to users as they cannot be reset and re-issued, and transactions authenticated by biometrics across different systems are linkable and traceable back to the individual identity. In addition, their cost-benefit analysis does not include personal implications to users, who are least prepared for the imminent negative outcomes, and are not often given equally convenient alternative authentication options. We introduce ai.lock, a secret image based authentication method for mobile devices which uses an imaging sensor to reliably extract authentication credentials similar to biometrics. Despite lacking the regularities of biometric image features, we show that ai.lock consistently extracts features across authentication attempts from general user captured images, to reconstruct credentials that can match and exceed the security of biometrics (EER = 0.71%). ai.lock only stores a hash of the object's image. We measure the security of ai.lock against brute force attacks on more than 3.5 billion authentication instances built from more than 250,000 images of real objects, and 100,000 synthetically generated images using a generative adversarial network trained on object images. We show that the ai.lock Shannon entropy is superior to a fingerprint based authentication built into popular mobile devices.