User authentication with your smartphone camera
User authentication with your smartphone camera
ToothPic Authenticate is an innovative authentication system based on the smartphone/tablet camera sensor identification. Traditional authentication systems verify a knowledge factor represented by username and password. This system is not sufficiently secure since users often choose predictable or trivial passwords and tend to reuse the same password to access multiple services.
To strengthen the security of the system, a possession factor can be verified as a second authentication step. Current systems include the generation of a temporary code (OTP) which is either generated by a dedicated device (token) or by a mobile app (authenticator), or received by SMS or voice call. These systems are not very user-friendly, in particular when used on a mobile device. Filling a form with the OTP usually incurs into typos and frequent app switching. To overcome these issues, push apps have been recently introduced. They offer the user a “single-click” experience by confirming or denying an access through a notification sent to the user’s mobile, but they rely only on some secret stored in an encrypted portion of the device memory.
Replacing current authentication systems with technologies that are both user-friendly and intrinsically secure is a topic of great interest for big companies and institutions. ToothPic Authenticate represents a disruptive solution for authentication systems since it verifies users’ identity with a single-click on their smartphones, in an extremely secure way thanks to the uniqueness of the smartphone camera sensor fingerprint.
The main idea of the proposed technique is to use the fingerprint of the optical sensor of a user's device, e.g. a smartphone or a tablet, as a physical unclonable function for authentication. An overview of the technique is provided in the system block diagram shown below.
In the registration phase, the user enrolls into the system by providing a high quality estimate of the device fingerprint, obtained by a certain number of photos acquired in controlled conditions. Instead of directly sending the fingerprint, whose size depends on the sensor resolution and is usually tens of MBytes large, the client first compresses it by means of the novel patent-pending ToothPic technology. The client also computes some side information, which will be stored and then used in the authentication phase. For security reasons, the actual compressed fingerprint is not stored at the server side. Instead, the server extracts a uniformly random bit string from the compressed fingerprint and stores a secure hash of this bit string, together with a secure sketch of the fingerprint. In case of a server violation, the secure hash and the secure sketch are not enough to reproduce the user’s identity.
In the authentication phase, the user reproduces a noisy version of the device fingerprint by acquiring a fresh set of photos and compressing the resulting fingerprint according to the stored side information. The server then combines the compressed fingerprint received by the user with the secure sketch stored in its database to verify the user’s identity. If the user provides a version of the compressed fingerprint sufficiently close to the enrolled one, then the server is able to reproduce the same hash of the enrollment phase and grants access to the system; otherwise, the user is denied access.
The entire system relies on a unique and non reproducible characteristic of the user’s smartphone or tablet, i.e., the sensor fingerprint which is a noise pattern that uniquely characterizes a specific digital camera. Since a smartphone or tablet is supposed to be always with its owner, it is not necessary to carry an additional device for authentication purposes. ToothPic technology guarantees that this unique characteristic can be obtained only by directly accessing the optical sensor of the device, and cannot be reproduced using publicly available photos taken by that device.
The proprietary compression technique applied to the device fingerprint, besides reducing the size of the transmitted fingerprint, provides an additional security layer since the compression process is based on secret parameters that are securely stored at the client side. Moreover, the compression technique is not reversible. This means that, if a user account based on the compressed device fingerprint is violated, the original fingerprint cannot be reconstructed and hence any other account based on the same device fingerprint but compressed with different parameters is not compromised.
The system can be implemented either as a stand-alone authentication system, or as a third-party service. In the first scenario, the user’s identity is verified by the same website the user is accessing. In the third-party scheme, the user’s identity is verified by a third-party server.