We know that many of us are no good at choosing our own passwords. That’s why companies are increasingly looking to bolster their own website security through additional authentication methods.
To that end, we’ve seen many different forms of two-factor authentication (2FA) employed – John Shier wrote an excellently detailed article on the topic last year in which he noted that each of the common 2FA options have their disadvantages.
His conclusion was that “true” 2FA, using a separate token, was probably the best way forward – but that such a system would likely not be free and would leave people with an annoyingly large amount of tokens to manage.
While it’s better for your security to take advantage of 2FA everywhere it is available, some people see it as an inconvenience nonetheless – either because they need to lug tokens around or because of the few seconds it takes to generate a code or type in a password received by SMS.
With that in mind, perhaps, a team of researchers from the Swiss Federal Institute of Technology in Zurich, Switzerland, have been looking into an alternative and altogether much simpler system of 2FA.
At the recent USENIX Security Symposium they presented a paper detailing a new tool they’ve created called Sound-Proof which, they said, was designed specifically for those users who prefer password-only authentication.
The researchers – Srdjan Capkun, Nikolaos Karapanos, Claudio Marforio and Claudio Soriente – said their verification process can confirm a person is in possession of their phone by matching ambient noise sound prints.
Conveniently, the phone doesn’t even need to be picked up as part of the process – it merely needs to be switched on and have the Sound-Proof mobile app installed (prototype apps have been developed for both Android and iOS and tested on the iPhone 6, Google Nexus 4 and Samsung Galaxy S3).
So if, for example, you are attempting to log in to something on your desktop PC, the app on your phone will also begin listening for sounds in the vicinity.
When the system confirms that the two devices are in close proximity – because they are both hearing the same sounds – it will log you in.
If you’re already thinking ahead to the privacy implications of an app that deals with sound, the researchers say their tool only deals with the “digital signature” of what it hears rather than the sounds themselves.
Beyond the need for a microphone, nothing else is required on the computer end so, with no extensions or downloads, the system can be used across multiple systems with ease.
While the system sounds interesting and would likely be of benefit to anyone looking for some hassle-free additional security (the researchers say their system will likely save 25 seconds per login when compared to other forms of 2FA), it is not perfect.
In one (probably unlikely) scenario, a hacker who has already snagged your password would merely need to get close to you in order to replicate the right sound environment. As the app initiates without your phone being picked up there is even a risk that a determined hacker could break into your account while standing next to you and you wouldn’t know about it until it was too late.
Likewise, if you are watching TV and an attacker gets lucky and switches on the same channel, the ambient sound may just be similar enough to grant them access. Again, unlikely, but in any event, using Sound-Proof would still be better than not using 2FA at all.
Also, a Wi-Fi connection will be needed and the system may be affected by environmental conditions, though the researchers did point out that the app can record through obstacles such as pockets and even purses.
Beyond that, the research team has created an app that mitigates brute force attacks via rate limiting and which can be used for continuous authentication. It is also capable of reverting back to traditional 2FA codes if its sound-based system should fail.
Even so, the team’s research remains nothing more than a project, though Marforio says development will continue:
At the moment we are trying to improve the overall performance of the system to make the login even faster and to better compare the two audio samples in order to further improve the accuracy. The idea is to continue working on it as a startup.
As to whether the public will have much appetite for an app that allows their phone to record sound all the time remains to be seen.
Want to know more about two-factor authentication?
To find out whether the online service you use supports 2FA, you can visit twofactorauth.org.
It has a comprehensive (albeit not exhaustive) list of many of the top online services that support 2FA or two-step verification (2SV).
Turn it on and be more secure.
(Audio player not working? Download to listen offline, or listen on Soundcloud.)
Image of smartphone microphone courtesy of Shutterstock.com .
Laurence Marks
Today I happen to be reading Naked Security near the washing machine which is spinning a load of towels. Yesterday it wasn’t running. The day before I was at my vacation cabin. Which one of those sound templates is the one I have to reproduce to log into Naked Security?
2FA by sound==> FAIL
Barney Laurance
To answer your question, the sound you have to reproduce is the one you hear now, your washing machine. You prove that you know your password in the normal way, and at the same time your phone automatically proves that it is near the computer that you are logging in to by detecting the same sound. If someone steals either your password or you phone, but not both, they wouldn’t be able to log in in the same way.
Blind Bob
you misunderstand how the system works. Your phone and the PC you are logging into must both have microphones. When you login with your password both apps listen to the ambient sound where they both are in that same moment. So there is no saved profiles. My home pc does not have a mic so…no good there.
It is an interesting idea although they needed rely on ambient sound. Since the system relies on input from both your phone and the target system they could have the phone make a randomly generated unique sound. The sound could be in a range above what people can hear.
The article does do that little trick that advertisers do tho. They make the alternatives sound really difficult. There are plenty of 2FA solutions that don’t require a separate physical token. They are also phone based. one time passwords either via SMS or something like Google Authenticator. Those solutions work wonders for me, I just wish more sites supported that. Especially domain registrars and banks. You can 2FA your email and facebook account but doing the same for your bank or domain register is much harder at this time.
wphilbrick@gmail.com
Something “automatic” like this makes life a little easier than other 2FA options, IMO. I get what you’re saying about alternatives, but this would just be another way that would require even more limited interaction than having to pick up the phone (or even pull it out of your pocket if the article is correct).
As far as the hacking in close proximity fear, I think you could mitigate that to some extent by just having the app provide a notification on the phone when the login is completed and the ability to log out immediately and/or request your approval (recognizing that this negates some of the convenience I mentioned above).
Mike
So say I’m logged into amazon on my phone and I want to login to amazon on my computer and family guy is on tv in the room that both my phone and computer are in, this application would log me into amazon on my computer once both devises verify that they both are hearing the same thing?