James Thew - Fotolia

Ambient sound could speed adoption of 2FA, say security researchers

Swiss researchers have proposed a two-factor authentication system that does not require user interaction to help speed adoption of strong security

Swiss researchers claim to have found a way of accelerating the adoption of two-factor authentication (2FA) by using ambient sound, requiring no extra time or effort by users.

Security experts say 2FA is key to online security and privacy, but uptake has been slow because of the extra time and effort required to log in to accounts.

A wide range of online services have introduced 2FA in recent months to defend against password theft, but these typically require users to retrieve text codes from mobile phones.

In a paper presented at the Usenix security symposium in Washington, researchers from the Swiss Federal Institute of Technology in Zurich set out a 2FA system that does not require user interaction.

Crucially, apart from a phone app, the system does not require users to install any additional software on the desktop or laptop, which distinguishes it from other 2FA systems that do not require user interaction.

The proposed system, dubbed Sound-Proof, uses ambient sound to confirm the proximity of a registered mobile phone to a sound-enabled computer being used to access an online service.

The system works by comparing ambient sound recorded using the microphones of the two devices when a Sound-Proof-enabled online service sends a request to the Sound-Proof phone app.

Audio recording and comparison are transparent to the user, say the researchers, so the user experience is similar to the one of password-only authentication.

According to the researchers, Sound-Proof can be easily deployed because it works with current phones and major HTL5-compliant browsers such as Chrome, Firefox and Opera without plugins.

Other major browsers like Internet Explorer are expected to adopt support for the key WebRTC (real time communication) application program interface (API) required for Sound-Proof, the researchers said.

To demonstrate Sound-Proof in action, the researchers have built a prototype for both Google’s Android and Apple’s iOS mobile operating systems.

The researchers claim their paper provides empirical evidence that ambient noise is a robust discriminant to determine the proximity of two devices both indoors and outdoors, even if the phone is in a pocket, handbag or backpack.

The paper also details a user study designed to compare the perceived usability of Sound-Proof with Google 2-Step Verification.

According to the paper, participants ranked Sound-Proof as more usable and the majority would be willing to use Sound-Proof even for scenarios in which two-factor authentication is optional.

The researchers concede that the system would not be foolproof if an attacker who had access to a password was in the same place as the target, but they said such targeted attacks will be uncommon.

“Sound-Proof improves the usability and deployability of 2FA and – as such – can foster large-scale adoption,” the research paper concludes.

Although Sound-Proof is just a test project, the researchers are working to improve the overall accuracy and performance of the system with a view to continue the work as a startup company, according to Wired.

Read more about 2FA

Read more on Privacy and data protection