Listening Watch sounds out security idea with websites that listen

Mobile authenticator apps are a great way to improve password security. If only they didn’t slow you down by making you type in those darn numerical codes. Surely, in 2018, there must be a better way?
Two researchers at the University of Birmingham Alabama think they may have an answer, but it needs a pair of halfway-decent speakers, a phone, and a smartwatch.
Listening Watch, a project based on earlier work by researchers Prakash Shrestha and Nitesh Saxena, uses the power of sound to log you into your favourite websites. There’s a paper describing the concept here.
When logging into websites, two-factor authentication (2FA) offers an extra layer of protection over and above passwords because it checks an additional asset that the user owns before granting access. In some cases, this asset is a separate hardware token. In others, it’s a commonly-owned device like a smart phone. 
Attackers are always looking for ways to break 2FA. For example, RSA had to replace most of its SecurID tokens in 2011 after someone stole the codes used to initialise each one. NIST deprecated SMS as a 2FA mechanism in June last year after intruders were found stealing peoples’ phone numbers and using them for false authentication.
2FA is also finicky to use – it involves an extra step to log in to something – which is annoying for users. A 2016 study showed that 28% of users don’t use 2FA, and six in ten of those that do only do it because someone makes them.

An easier way?

Using the Listening Watch method, a user trying to authenticate to a website enters their username and password as usual. The site then sets up two separate conversations. One is with the browser and the other with the user’s smartphone, which is linked to the smartwatch or fitness wearable on their wrist.
The website sends the browser an audio signal with computer-generated speech reciting a random code. At the same time, it also sends a message to the user’s phone to make the wearable device record whatever it hears.
The browser plays the audio aloud, records its own audio and sends it back to the website, which forwards it to the phone. The smartwatch records whatever it hears at the same time, and also sends it to the phone. If the user is wearing the watch, then both the browser and the watch should have heard the same thing.
After receiving both the audio from the website and the audio from the smartwatch, the phone uses speech recognition to extract the spoken code from each. If the codes match, it also compares the two audio signals to see if they are similar. If they are, then the user is close to the browser and the phone tells the site to accept their login request. Otherwise, the login is rejected.
This research is a complete redesign of an earlier project from the same researchers called Sound-Proof. This used a similar concept, but instead of spoken codes, it relied on ambient sound. This was vulnerable to compromise by remote attackers who could predict and replicate those sounds. An attacker close to the user could simply have recorded the same ambient sounds to attack the system.
The Listening Watch system’s spoken code stops remote attackers by making the sounds unique to the local environment and entirely unpredictable, said the researchers. The use of a wearable device, which typically has a relatively low-resolution, limited-range microphone, makes it possible to record audio without others eavesdropping, the researchers added. There is, however, a danger that smartwatch microphones would get more powerful, which would open the process up to local attack, they admitted.
So, this would be a low-friction 2FA mechanism for websites, just so long as you weren’t listening to your headphones when you try to access your bitcoin exchange. It’s a tantalizing idea, but for the time being at least, security conscious web users will likely still be playing hunt-and-peck with authenticator codes.