Ambient sound may help protect your online accounts

Two-factor authentication based on ambient sound has been the focus of four researchers from the Institute of Information Security ETH Zurich. Nikolaos Karapanos, Claudio Marforio, Claudio Soriente, and Srdjan Capkun posted their work on the .arXiv server and they presented their research at the recent Usenix conference in Washington, DC.

As they see it, two-factor authentication may be a good way to address the risk of stolen passwords but why is it not very popular? They said, "Despite the improvements introduced by software tokens, most users still prefer password-only authentication for services where 2FA is not mandatory. This is probably due to the extra burden that 2FA causes to the user, since it typically requires the user to interact with his phone."

Fair enough. Wired's Klint Finley described the frustration like this: "Two-factor authentication provides much better security than a password alone, and you really should enable it everywhere you can: Gmail, Facebook, Twitter, your bank. But there is one big problem with it: it's really annoying. Every time you want to log in to a site, you have to get your phone out, unlock it, find the authentication code, and type it in. If you type too slowly, the code changes and you've gotta try again. For far too many people, this is just too big of a hassle, so they leave themselves open to attack."

The authors propose another path to protection, in the name of Sound-Proof. They said it is a two-factor authentication mechanism transparent to the user; it can be used with current phones and with major browsers without any plugin.

The process goes like this: the second authentication factor is the proximity of the user's phone to the computer being used to log in. Sound-Proof works even if the phone is in the user's pocket or purse, and both indoors and outdoors.

"When the user logs in," said the researchers, "the two devices record the ambient noise via their microphones. The phone compares the two recordings, determines if the computer is located in the same environment, and ultimately decides whether the login attempt is legitimate or fraudulent."

They implemented a prototype of Sound-Proof for both Android and iOS. Their findings: "Sound-Proof adds, on average, less than 5 seconds to a password-only login operation. This time is substantially shorter than the time overhead of 2FA mechanisms based on verification codes (roughly 25 seconds). We also report on a user study we conducted which shows that users prefer Sound-Proof over Google 2-Step Verification."

According to the researchers, "The security of Sound-Proof stems from the attacker's inability to guess the sound in the victim's environment at the time of the attack."

Nonetheless, pointed out Finley, "if someone is in the same room as you—at a coffee shop for example—and has your password, they could access your account. There's also the possibility that if someone is watching the exact same TV or radio broadcast that you are, they might be able to spoof the request, depending on other ambient sound in the room, as well as differences in broadcast latencies. But the researchers think such targeted attacks will be uncommon. And besides, they argue, it would be far better than not using two-factor authentication at all."