Passwords are still the preferred online authentication method because they are easy to use, but they are increasingly not enough to keep our accounts secure. To mitigate the risk of malicious account takeover, more and more services offer a two-factor authentication option, but that, too, has to be easy use or most users will avoid setting it up.
Prakash Shrestha and Nitesh Saxena from the University of Alabama at Birmingham believe they have a solution for the problem: Listening-Watch, a new 2FA mechanism based on a wearable device (watch or a specialized bracelet with low sensitivity microphone) and active browser-generated random speech sounds.
Unlike similar proposed solutions that would use ambient sounds to detect how close the second factor device (e.g., phone) is to the login terminal (browser), Listening-Watch is not vulnerable to co-located and remote attackers.
“As the user attempts to login, the browser populates a short random code encoded into speech, and the login succeeds if the watch’s audio recording contains this code (decoded using speech recognition), and is similar enough to the browser’s audio recording,” they explained.
“The remote attacker, who has guessed the user’s environment or created predictable phone/watch sounds, will be defeated since authentication success relies upon the presence of the random code in watch’s recordings. The proximity attacker will also be defeated unless it is extremely close to the watch, since the wearable microphones are usually designed to be only capable of picking up nearby sounds (e.g., voice commands). Furthermore, due to the use of a wearable second factor device, Listening-Watch naturally enables two-factor security even when logging in from a mobile phone.”
To prove the efficacy of the scheme, they created browser and web server components, two Android apps (one for the phone and another for the watch), a correlation engine for computing the similarity of audio pairs from the watch and the phone, and a speech engine to translate numeric code into speech and extract the numeric code from the audio samples.
All in all, the approach is very promising. The researchers evaluated Listening-Watch for authentication errors in both benign and adversarial settings, and found that it can result in minimal errors.
In addition to this, they believe that Listening-Watch can be extended to support internal speakers (e.g., a basic speaker on a motherboard) so that it can work with a PC that does not have an external speaker, that future improvements in smartwatches’ microphone won’t allow remote attackers to break the scheme, and that it can be modified to foil determined proximity attackers that may use a powerful speaker attached to the terminal from which it attempts to log in.