Sound-Proof: Two-factor authentication without user interaction
Reaping all the benefits of two-factor authentication without suffering the inconvenience that is usually attached to the option is something that many users dream about – and now that dream is close to coming true.
A group of researchers from the Swiss Federal Institute of Technology in Zurich have recently presented at the USENIX security conference their two-factor solution that relies on ambient sound.
Dubbed Sound-Proof, the solution does not require interaction between the user and his phone, and works even if the phone is in the user’s pocket or purse, and both indoors and outdoors.
The system works like this: when the user enters his username and password into a website that offers Sound-Proof 2FA, the website switches on the computer’s microphone and starts recording. At the same time, it pings the Sound-Proof app which does the same.
The two recordings are then turned into digital signatures, sent to a central server, and compared. If they are the same, the authentication process is completed. If they are not, the app be made to fall back to other types of 2FA or 2SV options.
The researchers built an app for Android and iOS, and the solutions works with any HTML5-compliant browser that implements the WebRTC API (Chrome, Firefox and Opera for now, and IE very soon).
A survey of users faced with the option to use Sound-Proof found it usable, and most said they would used it if 2FA were optional.
“Since audio recording and comparison is transparent to the user, he has no means to detect an ongoing attack. To mitigate this, at each login attempt the phone may vibrate, light up, or display a message to notify the user that a login attempt is taking place,” they noted.
Sound-Proof can also be used for continuous authentication, although privacy implications have to be taken into consideration in that case.