Several years back I thought about building a silly offline-first, peer- to-peer (P2P) application for a small audience and playing around with alternative authentication schemes and felt I came up with a fun one.

I was aware at the times of some experiments in P2P authentication involving various schemes of taking a user-supplied password and applying some form of key derivation function (KDF) to produce a cryptographic key of more or lesser security. Using user-supplied passwords has an unfortunate means to trend “insecure” and susceptible to threats, which is part of why I think all of my links to projects exploring that at the time I captured my project notes are broken today.

The application was going to be “social media—like” and a key property of any good communications app is the user’s profile picture (PFP). We all love those little thumbnail pictures used to represent a user or at least their expression of themself. Most of us know pretty well that process of adding an image to build a PFP, an app asking us to squeeze our image down to fit their size constraints and overlay template. These days it’s become somewhat of a common design language that PFPs be cropped into circles everywhere because “circle means PFP”, but older apps and “non-standard” apps might still use squares or squircles (squares with rounded edges).

The basic idea of “PFP Auth” was to use that PFP generation process as also the process to generate the cryptographic key to secure the account. We could use data from the original image (such as a hash of its contents) used to generate a PFP as the input to a KDF. The nature of scaling and cropping an image munges and deletes data compared to the original file, so the “password strength” of a PFP’s original image file would be related to its difference in scale and amount of data entirely cropped from the resulting PFP. The “modern standard” that a PFP should be displayed as a circle would help ensure a good chunk of each corner is lost and support a baseline entropy. An application could require a minimum scaling factor (requiring the original image to be say at least twice as big as the final PFP size) to also help set a baseline entropy.

To regain access to an account you only need to supply the original file again. It’s implausible in many cases to be able to recreate the original file given only the PFP output after scaling and cropping. (It forms a sort of “reverse steganography” of careful data removing from one form to the other.) A benefit here is that the average person often already has a multi-device sync setup for such images and likely can supply the original file on all of their devices pretty easily.

I like in this authentication scheme that there’s a trust/knowledge relationship/mirror between the original image and the PFP that resembles the private and public keys of cryptography needed for certain types of P2P architectures. “I can recognize my public key by its PFP.”

I also like that PFP Auth is a “passwordless” scheme that doesn’t use a traditional password field. (Though it still essentially uses the original image file as its password.)

There are some obvious threats to consider in PFP Auth:

  1. Images are easy to copy between devices. (Same reason it is useful for multi-device login, it also opens up threat models for bad actors to try to social engineer copies.)
  2. Some people use common images for PFPs. (Not unlike common passwords, this is as much a social problem you can’t control.)
  3. “Imposter accounts” are still possible to create. While it is hard to recreate an original image from a cropped/scaled PFP creating a very similar PFP from a different image cropped/scaled to same dimensions is certainly possible.
  4. In the long term, image files can be subtly modified by those same easy copying/syncing tools, especially metadata in the file is often commonly changed. But even sometimes subtle things like background recompression to save space happens.

These and other similar concerns are why I don’t think PFP Auth would make a good authentication scheme for a website or a general use application, but under the original design constraints of a silly application for a niche audience in a specific environment it is probably still a good fit.

Maybe I’ll return to an application idea like that again and actually attempt to implement PFP Auth, but it’s such a fun idea it seemed worth blogging about rather than just gathering dust in my personal notes from years back.