back to article Boffins nail 2FA with 'ambient sound' login for the lazy

Internet users who think two taps on a smartphone is two taps too much may soon be able to use seamless second factor authentication that verifies a person is in possession of their phone by matching ambient noise sound prints. Researchers Nikolaos Karapanos, Claudio Marforio, Claudio Soriente, and Srdjan Capkun of the …

  1. P. Lee
    Coat

    Might not be 2fa

    Your PC might be generating the noise. Co-workers in the same office are likely to all get about the same "password." Or perhaps your phone could generate a very quiet noise and you leave it next to your PC mic.

    How about some sort of complex graphic arriving on your phone which you could show to your webcam? A full SMS message which is then OCR'd?

    Either way, there is a problem when people keep their phones and laptops together.

    Perhaps there is another way. It might just work for managers. Put a small red dot on their foreheads which the webcam could pick up. The exact pattern of the blood spatter.... er... I mean... NFC transponder, could guide the miss... I mean, be detected by the webcam relaying the authentication back to the drone.

  2. Terafirma-NZ

    Please don't send the audio from the browser to the phone for processing and verification. This just leaves a hole attackers can look to use. The server should receive both audio streams and check. Even if it is a simple hash of the stream to save bandwidth but don't leave it to the phone to confirm.

    1. the spectacularly refined chap

      Please don't send the audio from the browser to the phone for processing and verification. This just leaves a hole attackers can look to use. The server should receive both audio streams and check. Even if it is a simple hash of the stream to save bandwidth but don't leave it to the phone to confirm.

      That strikes me as a very deliberate decision and one that I would agree with - done correctly (i.e. public key encryption that can only be decrypted by the phone) it means the service provider never has access to the audio. That gives the user a good assurance of confidentiality and eliminates the attraction of a single server being able to access everyone's audio. Of course, it does depend on the phone not being compromised but in that eventuality all bets are off anyway.

      As for hashing, forget it straight away. This kind of DSP work always needs proper samples to work with, put simply too much processing is needed to match the samples up. The two recording are never going to be exactly synchronised for example, levels are going to need adjusting, and a certain amount of tolerance needs to be built in to allow for different locations or the characteristics of the microphones used.

      The one potential showstopper I see is where security is actually a real concern where you may think something like this would be attractive. At my employer for example possession of a mobile phone on an operations floor is an instant sacking offence - they are that concerned about any recording devices, whether audio or visual.

      1. Charles 9

        "At my employer for example possession of a mobile phone on an operations floor is an instant sacking offence - they are that concerned about any recording devices, whether audio or visual."

        Just for the record, why the paranoia? Top Secret workings, concerns of industrial espionage, or confidentiality issues?

        1. This post has been deleted by its author

  3. Steve Knox
    Facepalm

    This from a security team!!?

    The "Sound-Proof" verification process, which occurs without user interaction, can determine that a user and their two factor device are in the same room.

    Meaning you have to install their app on your phone and give it access to record audio at any time.

    Nah, no way that could be abused.

    1. Anonymous Coward
      Anonymous Coward

      Re: This from a security team!!?

      Must admit that when I think of security; throwing remote control of microphones on two devices to a remote party wouldn't be first on the list.

      Being a lazy bastard, I can see the appeal; but would never seriously consider it to actually use.

      1. Charles 9

        Re: This from a security team!!?

        But you also have to consider the secure-vs-easy scale. If you try to make the second factor too onerous, people will say, "Sod this!" and look for shortcuts; failing that, they'll abandon the whole works. How do you do secure in such an environment?

        1. Anonymous Coward
          Anonymous Coward

          @Charles 9 - Re: This from a security team!!?

          If you try to make the second factor too onerous, people will say, "Sod this!" and look for shortcuts

          I lean towards the 'sack them for undermining security' solution, rather than weakening overall security to make their lives easier.

          1. Charles 9

            Re: @Charles 9 - This from a security team!!?

            "I lean towards the 'sack them for undermining security' solution, rather than weakening overall security to make their lives easier."

            Which quickly gets reversed when you learn the one demanding the relaxation is ABOVE rather than BELOW you.

            1. Anonymous Coward
              Anonymous Coward

              Re: @Charles 9 - This from a security team!!?

              the one demanding the relaxation is ABOVE rather than BELOW you

              True. In that case I would suggest that you do not have the required authority to go with your responsibilites. That doesn't seem uncommon these days, unfortunately.

    2. Phil O'Sophical Silver badge

      Re: This from a security team!!?

      The "Sound-Proof" verification process, which occurs without user interaction, can determine that a user and their two factor device are in the same room.

      Well, technically doesn't it simply verify that the user's PC and the user's phone are in the same room? The user could be lying in the alley outside with his or her head bashed in.

  4. Anonymous Coward
    Anonymous Coward

    Why not send an audio SMS to your phone and require it you to play it within 2 minutes so the computer can validate it.

    1. Anonymous Coward
      Anonymous Coward

      That's just as bad as sending an SMS with a number.

      We have such poor reception here at work that I have to walk around 10 minutes round trip, plus wait for my phone to reconnect to the network, if I want to receive an SMS.

      1. Charles 9

        If your reception is so bad even an SMS is hit or miss, you basically don't have a practical second factor to work with, which means you're SOL.

        So that leaves a big unanswered question. How do you do 2FA when lots of people don't even have a second factor to work with?

        1. Michael Wojcik Silver badge

          If your reception is so bad even an SMS is hit or miss, you basically don't have a practical second factor to work with, which means you're SOL.

          No, it just means you need a second factor that doesn't require a network connection. Those synchronized CPRNG tokens work just fine in that environment, for example. So do smartcards, which use physical possession as one of the two factors.

          We had 2FA long before we had smartphones. Don't let smartphones limit the options.

          1. Charles 9

            The thing about those tokens is that they're not suitable for the average person, which is the level of paranoia we're reaching, where EVERYTHING needs a second factor but not everyone has that second factor on hand.

            Plus, as noted with the RSA incident, CPRNG algos can be stolen.

  5. John Robson Silver badge

    Bluetooth?

    Didn't we do this before, with short range radio reception.

    We could even use a wireless charging pad with an NFC reader in it now?!

  6. MikeeMiracle

    We need a more viable alternative to 2FA.

    2FA should only ever be used for securing something important. The problem is it's those very same important things you need access to if you lose the device your using 2FA to connect to. Has anyone ever tried to regain access to their account after loosing their device? It's just too much of a pain to make worthwhile.

    Some form is biometric device is far preferable.

    1. Charles 9

      "Some form is biometric device is far preferable."

      But what happens when someone copies your biometrics and steals your identity?

  7. TeeCee Gold badge
    Facepalm

    Right question?

    .....is preferable to Google's popular two factor authenticator app....

    Not sure that "popular" is quite correct here as while it might literally cover "foisted on a hell of a lot of people", the spirit isn't quite there.

    What I see here is a correct identification that current 2FA systems all have in common the fact that they really, really, really suck to use. (Missing here is that Google's "app" solution becomes ludicrously unwieldy if you have your phone's lock screen doing something constructive - i.e. you actually give a shit about security).

    Not sure this is the right answer though as it still has a problem that's common to many. Google and their ilk are getting my bloody mobile phone number shortly after hell freezes over....

  8. clocKwize

    What if you want to login on your phone?

  9. phil dude
    Facepalm

    and in other news...

    Researchers can leak information from your machine using the audio...

    Ever heard of the Lampton Protection Principle?

    P.

  10. gerryg

    what people say and what people do

    "The boffins also asked 32 folks, none security experts, how they feel about this form of 2FA: most said they would prefer it over no 2FA being used"

    Whatever the merits of the proposed system, I was deeply underwhelmed that they prayed-in-aid the preferences of general users. General users generally know what is the right to say when asked however, the researchers would do well to research the dangers associated with relying on Revealed Preferences

    In general, general users are underwhelmed by security measures, nobody cares

    1. Charles 9

      Re: what people say and what people do

      "In general, general users are underwhelmed by security measures, nobody cares"

      So how do you MAKE them care without risking their lives in the process (about the only thing that FORCES people to care)?

    2. Steve Knox

      Re: what people say and what people do

      "The boffins also asked 32 folks, none security experts, how they feel about this form of 2FA: most said they would prefer it over no 2FA being used"

      Let me guess, the question was expressed similar to:

      "Hey average user! We've invented this awesome new technology which makes your online adventures more secure with absolutely no effort on your part!!!!! Wouldn't you like to be safer online!? Or would you prefer to have your identity stolen, your pets microwaved, and your car smashed into a tree?"

  11. John Tserkezis

    So, if I'm on the bus, it can hear and detect how many fights are going on, and when on a train, it can hear how many simultaneous muggings are happening to ensure who I am?

    Hey, even in the office, when it asks me to clear my throat, will it also integrate the voices of a workmate or employer shouting at me for coming to work with a cold?

    This is so cool!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like