A Secure Mobile Authentication Alternative to Biometrics

Biometrics are widely used for authentication in consumer devices and business settings as they provide sufficiently strong security, instant verification and convenience for users. However, biometrics are hard to keep secret, stolen biometrics pose lifelong security risks to users as they cannot be reset and re-issued, and transactions authenticated by biometrics across different systems are linkable and traceable back to the individual identity. In addition, their cost-benefit analysis does not include personal implications to users, who are least prepared for the imminent negative outcomes, and are not often given equally convenient alternative authentication options. We introduce ai.lock, a secret image based authentication method for mobile devices which uses an imaging sensor to reliably extract authentication credentials similar to biometrics. Despite lacking the regularities of biometric image features, we show that ai.lock consistently extracts features across authentication attempts from general user captured images, to reconstruct credentials that can match and exceed the security of biometrics (EER = 0.71%). ai.lock only stores a hash of the object's image. We measure the security of ai.lock against brute force attacks on more than 3.5 billion authentication instances built from more than 250,000 images of real objects, and 100,000 synthetically generated images using a generative adversarial network trained on object images. We show that the ai.lock Shannon entropy is superior to a fingerprint based authentication built into popular mobile devices.