Using ambient sound as a two-factor authentication system

We know that many of us are no good at choosing our own passwords. That’s why companies are increasingly looking to bolster their own website security through additional authentication methods.

To that end, we’ve seen many different forms of two-factor authentication (2FA) employed – John Shier wrote an excellently detailed article on the topic last year in which he noted that each of the common 2FA options have their disadvantages.

His conclusion was that “true” 2FA, using a separate token, was probably the best way forward – but that such a system would likely not be free and would leave people with an annoyingly large amount of tokens to manage.

While it’s better for your security to take advantage of 2FA everywhere it is available, some people see it as an inconvenience nonetheless – either because they need to lug tokens around or because of the few seconds it takes to generate a code or type in a password received by SMS.

With that in mind, perhaps, a team of researchers from the Swiss Federal Institute of Technology in Zurich, Switzerland, have been looking into an alternative and altogether much simpler system of 2FA.

At the recent USENIX Security Symposium they presented a paper detailing a new tool they’ve created called Sound-Proof which, they said, was designed specifically for those users who prefer password-only authentication.

The researchers – Srdjan Capkun, Nikolaos Karapanos, Claudio Marforio and Claudio Soriente – said their verification process can confirm a person is in possession of their phone by matching ambient noise sound prints.

Conveniently, the phone doesn’t even need to be picked up as part of the process – it merely needs to be switched on and have the Sound-Proof mobile app installed (prototype apps have been developed for both Android and iOS and tested on the iPhone 6, Google Nexus 4 and Samsung Galaxy S3).

So if, for example, you are attempting to log in to something on your desktop PC, the app on your phone will also begin listening for sounds in the vicinity.

When the system confirms that the two devices are in close proximity – because they are both hearing the same sounds – it will log you in.

If you’re already thinking ahead to the privacy implications of an app that deals with sound, the researchers say their tool only deals with the “digital signature” of what it hears rather than the sounds themselves.

Beyond the need for a microphone, nothing else is required on the computer end so, with no extensions or downloads, the system can be used across multiple systems with ease.

While the system sounds interesting and would likely be of benefit to anyone looking for some hassle-free additional security (the researchers say their system will likely save 25 seconds per login when compared to other forms of 2FA), it is not perfect.

In one (probably unlikely) scenario, a hacker who has already snagged your password would merely need to get close to you in order to replicate the right sound environment. As the app initiates without your phone being picked up there is even a risk that a determined hacker could break into your account while standing next to you and you wouldn’t know about it until it was too late.

Likewise, if you are watching TV and an attacker gets lucky and switches on the same channel, the ambient sound may just be similar enough to grant them access. Again, unlikely, but in any event, using Sound-Proof would still be better than not using 2FA at all.

Also, a Wi-Fi connection will be needed and the system may be affected by environmental conditions, though the researchers did point out that the app can record through obstacles such as pockets and even purses.

Beyond that, the research team has created an app that mitigates brute force attacks via rate limiting and which can be used for continuous authentication. It is also capable of reverting back to traditional 2FA codes if its sound-based system should fail.

Even so, the team’s research remains nothing more than a project, though Marforio says development will continue:

At the moment we are trying to improve the overall performance of the system to make the login even faster and to better compare the two audio samples in order to further improve the accuracy. The idea is to continue working on it as a startup.

As to whether the public will have much appetite for an app that allows their phone to record sound all the time remains to be seen.

Want to know more about two-factor authentication?

To find out whether the online service you use supports 2FA, you can visit twofactorauth.org.

It has a comprehensive (albeit not exhaustive) list of many of the top online services that support 2FA or two-step verification (2SV).

Turn it on and be more secure.

(Audio player not working? Download to listen offline, or listen on Soundcloud.)


Image of smartphone microphone courtesy of Shutterstock.com .

Leave a Reply