Skip to content
Naked Security Naked Security

Could EarEcho change the way we authenticate our phones?

Researchers have discovered a way to use wireless earbuds as a biometric authentication system.

We’re used to identifying ourselves to our phones using our fingers, our faces, and even our irises, but now, researchers are targeting a new piece of our body that they say could be the perfect identifier: The inside of our ears.

Researchers at University at Buffalo, State University of New York and Syracuse University have discovered a way to use wireless earbuds as a biometric authentication system. Called EarEcho, it uses a small microphone inserted in a regular pair of wireless earbuds. When the earbuds play audio, it records the sound that bounces back from the ear canal, creating a unique profile of the user’s inner ear.

EarEcho feeds the audio that the microphone picks up into a support vector machine (SVM), which is a machine learning model that learns how to identify the user’s unique ear pattern.

The result is an accurate verification method, according to their paper. It tested the system on 20 subjects, listening to five different pieces of prerecorded conversation in different environments such as a shopping mall, a cafe, and the street. It reached around 97.5% accuracy when identifying people based on just three seconds of audio, it reported.

More secure than other biometrics?

Fingerprints may be among the most popular biometric authentication methods, say the researchers, but they argue it is also subject to spoofing attacks. They also criticise facial recognition, and specifically Apple’s FaceID, for the same reason (researchers claim to have spoofed Apple’s technology before and we know there are use cases that it has difficulty coping with). Earbud-based authentication is a better idea, they added:

With the popularization of wireless earphones, more and more users are getting used to wearing earphones while working, studying or strolling…

Compared with face IDs, fingerprints and voiceprints, the EarEcho presents a more unobtrusive authentication approach with great usability potentials.

One advantage of this approach, they say, is that it is relatively immune to side-channel and replay attacks, in which an attacker can eavesdrop on someone’s biometric information through audio recordings or high-definition photographs and then reproduce it. After all, you might be able to pick up a copy of someone’s fingerprint somewhere, but you’ll have a hard time surreptitiously probing their inner ear canal.

The weaknesses of this technology seem to be more commercial than technical. Phones already feature some form of face and fingerprint recognition built into the device itself, and it seems dangerous to move that authentication entirely onto another device (what if someone forgets their earphones?). Earphones are also easy to lose, especially wireless ones, and losing your main form of authentication would be troublesome.

Finally, if you’re playing any kind of audio through the headphones on your device, then you’ve probably already authenticated to get permission to do so. This means the headphones would have to play their own audio for verification purposes before logging you into your phone, or that they’d become purely a passive authentication mechanism that checked to make sure you were still you periodically after you’d logged on.

That latter use case might have some traction, though. The researchers suggest using EarEcho as an authentication mechanism for mobile payments, or for verifying your identity during sensitive conversations. The true test here is, how many people do you know who walk around with earbuds in all day, and do you consider it acceptable behaviour?

Are we likely to see this inside Apple’s next generation of AirPods? It looks like the company might be concentrating on embedding temperature, perspiration, movement, and heart rate sensors into its iconic white buds for the time being. 


I have a hard time seeing biometrics as anything besides a password you can’t change. Finger print, ear, eye, face, maybe bite pattern, or tongue imprint will be next lol ohh a flatulence analyzer,,, does your log in, and health analysis in one step….


I do tend to agree with this thought – I think biometrics only seem plausible as authorisation rather than authentication.


Is 97.5% really an acceptable level of accuracy for authentication? That means one in every 40 attempts will either wrongly deny access or (worse) wrongly grant access. Doesn’t seem good enough to me.


Seems like this would require using the same earbuds, as variation between sets would be a possible problem. Also, in addition to the issue of whether people would want to haul their earbuds around constantly just to access their mobile device, what happens when those earbuds poop out? They’d be locked out of the device. And if variation between earbuds is in fact an issue, then they could be locked out “permanently”.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!