August 18, 2015 weblog
Ambient sound may help protect your online accounts
Two-factor authentication based on ambient sound has been the focus of four researchers from the Institute of Information Security ETH Zurich. Nikolaos Karapanos, Claudio Marforio, Claudio Soriente, and Srdjan Capkun posted their work on the .arXiv server and they presented their research at the recent Usenix conference in Washington, DC.
As they see it, two-factor authentication may be a good way to address the risk of stolen passwords but why is it not very popular? They said, "Despite the improvements introduced by software tokens, most users still prefer password-only authentication for services where 2FA is not mandatory. This is probably due to the extra burden that 2FA causes to the user, since it typically requires the user to interact with his phone."
Fair enough. Wired's Klint Finley described the frustration like this: "Two-factor authentication provides much better security than a password alone, and you really should enable it everywhere you can: Gmail, Facebook, Twitter, your bank. But there is one big problem with it: it's really annoying. Every time you want to log in to a site, you have to get your phone out, unlock it, find the authentication code, and type it in. If you type too slowly, the code changes and you've gotta try again. For far too many people, this is just too big of a hassle, so they leave themselves open to attack."
The authors propose another path to protection, in the name of Sound-Proof. They said it is a two-factor authentication mechanism transparent to the user; it can be used with current phones and with major browsers without any plugin.
The process goes like this: the second authentication factor is the proximity of the user's phone to the computer being used to log in. Sound-Proof works even if the phone is in the user's pocket or purse, and both indoors and outdoors.
"When the user logs in," said the researchers, "the two devices record the ambient noise via their microphones. The phone compares the two recordings, determines if the computer is located in the same environment, and ultimately decides whether the login attempt is legitimate or fraudulent."
They implemented a prototype of Sound-Proof for both Android and iOS. Their findings: "Sound-Proof adds, on average, less than 5 seconds to a password-only login operation. This time is substantially shorter than the time overhead of 2FA mechanisms based on verification codes (roughly 25 seconds). We also report on a user study we conducted which shows that users prefer Sound-Proof over Google 2-Step Verification."
According to the researchers, "The security of Sound-Proof stems from the attacker's inability to guess the sound in the victim's environment at the time of the attack."
Nonetheless, pointed out Finley, "if someone is in the same room as you—at a coffee shop for example—and has your password, they could access your account. There's also the possibility that if someone is watching the exact same TV or radio broadcast that you are, they might be able to spoof the request, depending on other ambient sound in the room, as well as differences in broadcast latencies. But the researchers think such targeted attacks will be uncommon. And besides, they argue, it would be far better than not using two-factor authentication at all."
Two-factor authentication protects online accounts even if passwords are leaked. Most users, however, prefer password-only authentication. One reason why two-factor authentication is so unpopular is the extra steps that the user must complete in order to log in. Currently deployed two-factor authentication mechanisms require the user to interact with his phone to, for example, copy a verification code to the browser. Two-factor authentication schemes that eliminate user-phone interaction exist, but require additional software to be deployed.
In this paper we propose Sound-Proof, a usable and deployable two-factor authentication mechanism. Sound-Proof does not require interaction between the user and his phone. In Sound-Proof the second authentication factor is the proximity of the user's phone to the device being used to log in. The proximity of the two devices is verified by comparing the ambient noise recorded by their microphones. Audio recording and comparison are transparent to the user, so that the user experience is similar to the one of password-only authentication. Sound-Proof can be easily deployed as it works with current phones and major browsers without plugins. We build a prototype for both Android and iOS. We provide empirical evidence that ambient noise is a robust discriminant to determine the proximity of two devices both indoors and outdoors, and even if the phone is in a pocket or purse. We conduct a user study designed to compare the perceived usability of Sound-Proof with Google 2-Step Verification. Participants ranked Sound-Proof as more usable and the majority would be willing to use Sound-Proof even for scenarios in which two-factor authentication is optional.
© 2015 Tech Xplore