A research paper emanating from the Institute of Information Security ETH in Zurich has proposed a new method to achieve more secure ‘two-factor authentication' through the use of ambient sound and a user's smartphone.
Two-factor authentication is a method of user validation above and beyond the single solitary use of passwords. Examples include use of an ATM (bank card, plus PIN), biometrics (fingerprint scan, plus the user themselves) and credit card reader random number generators (PIN number, plus random number).
The Zurich-based group suggest that its methodology could be more convenient and attractive, given that users typically find two-factor authentication troublesome and time consuming in contrast to the lone use of passwords.
The presence of a user's smartphone acting as the second authenticator is an emerging area of development.
Smartphone-centric two-factor authentication
Current smartphone-centric two-factor authentication mechanisms require the user to interact with his or her phone to copy a verification code to the browser.
Other smartphone-centric two-factor authentication techniques capable of eliminating the user-to-phone interaction process do exist, but these systems typically necessitate the installation of additional software.
Researchers Nikolaos Karapanos, Claudio Marforio, Claudio Soriente and Srdjan Capkun have developed Sound-Proof -- a two-factor authentication mechanism that relies on the proximity of the user's phone to the device being used to log in.
The proximity of the two devices is verified by comparing the ambient noise recorded by their microphones. The software is claimed to work with current phones and major browsers without plugins.
The Sound-Proof team claims that this technology adds an average of five seconds (or less) to a password-only login operation.
A robust discriminant
“We build a prototype for both Android and iOS. We have provided empirical evidence that ambient noise is a robust discriminant to determine the proximity of two devices both indoors and outdoors -- and even if the phone is in a pocket or purse,” says the team, in its research paper.
When the user logs in, the two devices record the surrounding levels of ambient noise via their microphones. The phone compares the two recordings, determines if the computer is located in the same environment and then ultimately decides whether the login attempt is legitimate or fraudulent.
Sound-Proof is not designed to protect against targeted attacks where the attacker is co-located with the victim and has the victim's login credentials.
“As I predicted last year and the year before, the use of personal smartphones will play a greater role in the authentication of the user. I'm excited to see this technology implemented here this manner as there is still so much more potential with multi-factor authentication with your smartphone,” said TK Keanini, CTO at Lancope speaking to SC Magazine UK today.
“As this technology is put to use, we will all need to be attentive to the fact that it will be targeted by the best and brightest attackers. It is not the technology that will fall victim, but more likely the implementation. Some implementation weaknesses will be exploited at some point, so we must remain diligent with the monitoring and detection so that we can quickly remediate and move on.”