Sound-Proof: Usable Two-Factor Authentication Based on Ambient Sound

Two-factor authentication protects online accounts even if passwords are leaked. Most users, however, prefer password-only authentication. One reason why two-factor authentication is so unpopular is the extra steps that the user must complete in order to log in. Currently deployed two-factor authentication mechanisms require the user to interact with his phone to, for example, copy a verification code to the browser. Two-factor authentication schemes that eliminate user-phone interaction exist, but require additional software to be deployed. In this paper we propose Sound-Proof, a usable and deployable two-factor authentication mechanism. Sound-Proof does not require interaction between the user and his phone. In Sound-Proof the second authentication factor is the proximity of the user's phone to the device being used to log in. The proximity of the two devices is verified by comparing the ambient noise recorded by their microphones. Audio recording and comparison are transparent to the user, so that the user experience is similar to the one of password-only authentication. Sound-Proof can be easily deployed as it works with current phones and major browsers without plugins. We build a prototype for both Android and iOS. We provide empirical evidence that ambient noise is a robust discriminant to determine the proximity of two devices both indoors and outdoors, and even if the phone is in a pocket or purse. We conduct a user study designed to compare the perceived usability of Sound-Proof with Google 2-Step Verification. Participants ranked Sound-Proof as more usable and the majority would be willing to use Sound-Proof even for scenarios in which two-factor authentication is optional.

[1]  Michael Backes,et al.  2008 IEEE Symposium on Security and Privacy Compromising Reflections –or– How to Read LCD Monitors Around the Corner , 2022 .

[2]  Leo L. Beranek,et al.  Noise and vibration control , 1971 .

[3]  Pekka Aavikko,et al.  Network Time Protocol , 2010 .

[4]  Mervyn A. Jack,et al.  Usable security: User preferences for authentication methods in eBanking and the effects of experience , 2010, Interact. Comput..

[5]  Shumeet Baluja,et al.  Waveprint: Efficient wavelet-based audio fingerprinting , 2008, Pattern Recognit..

[6]  Jan-Michael Frahm,et al.  On the Privacy Risks of Virtual Keyboards: Automatic Reconstruction of Typed Input from Compromising Reflections , 2013, IEEE Transactions on Dependable and Secure Computing.

[7]  Adrian Perrig,et al.  Phoolproof Phishing Prevention , 2006, Financial Cryptography.

[8]  Sotiris Ioannidis,et al.  Two-factor authentication: is the world ready?: quantifying 2FA adoption , 2015, EUROSEC.

[9]  Diarmid Marshall,et al.  User perceptions of security and usability of single-factor and two-factor authentication in automated telephone banking , 2011, Comput. Secur..

[10]  Ernst Haselsteiner Security in Near Field Communication ( NFC ) Strengths and Weaknesses , 2006 .

[11]  Martin Welk,et al.  Tempest in a Teapot: Compromising Reflections Revisited , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[12]  A. Rodríguez Valiente,et al.  Extended high-frequency (9–20 kHz) audiometry reference thresholds in 645 healthy subjects , 2014, International journal of audiology.

[13]  Ton Kalker,et al.  An efficient database search strategy for audio fingerprinting , 2002, 2002 IEEE Workshop on Multimedia Signal Processing..

[14]  Nitesh Saxena,et al.  Two-Factor Authentication Resilient to Server Compromise Using Mix-Bandwidth Devices , 2014, NDSS.

[15]  Stephan Sigg,et al.  Secure Communication Based on Ambient Audio , 2013, IEEE Transactions on Mobile Computing.

[16]  Will Archer Arentz,et al.  Near ultrasonic directional data transfer for modern smartphones , 2011, UbiComp '11.

[17]  Dan S. Wallach,et al.  Strengthening user authentication through opportunistic cryptographic identity assertions , 2012, CCS.

[18]  N. Asokan,et al.  Drone to the Rescue: Relay-Resilient Authentication using Ambient Multi-sensing , 2014, Financial Cryptography.

[19]  C. R. Maguire Noise and Vibration Control in Engineering , 1959 .

[20]  Mike Hazas,et al.  A Novel Broadband Ultrasonic Location System , 2002, UbiComp.

[21]  Alexey Melnikov,et al.  The WebSocket Protocol , 2011, RFC.

[22]  Tal Garfinkel,et al.  Reducing shoulder-surfing by using gaze-based password entry , 2007, SOUPS '07.

[23]  J. B. Brooke,et al.  SUS: A 'Quick and Dirty' Usability Scale , 1996 .

[24]  Frank Stajano,et al.  The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes , 2012, 2012 IEEE Symposium on Security and Privacy.

[25]  Diego A. Ortiz-Yepes Enhancing Authentication in eBanking with NFC-Enabled Mobile Phones , 2009, ERCIM News.

[26]  Johann A. Briffa,et al.  Eavesdropping near-field contactless payments: a quantitative analysis , 2013 .

[27]  Di Ma,et al.  Secure Proximity Detection for NFC Devices Based on Ambient Sensor Data , 2012, ESORICS.

[28]  Mervyn A. Jack,et al.  User perceptions of security, convenience and usability for ebanking authentication tokens , 2009, Comput. Secur..

[29]  Srdjan Capkun,et al.  Realization of RF Distance Bounding , 2010, USENIX Security Symposium.

[30]  Srdjan Capkun,et al.  On the Effective Prevention of TLS Man-in-the-Middle Attacks in Web Applications , 2014, USENIX Security Symposium.

[31]  Xiang Gao,et al.  Comparing and fusing different sensor modalities for relay attack resistance in Zero-Interaction Authentication , 2014, 2014 IEEE International Conference on Pervasive Computing and Communications (PerCom).

[32]  David A. Ross,et al.  Survey and Evaluation of Audio Fingerprinting Schemes for Mobile Query-by-Example Applications , 2011, ISMIR.

[33]  James T. Miller,et al.  An Empirical Evaluation of the System Usability Scale , 2008, Int. J. Hum. Comput. Interact..

[34]  Istvn L. Vr,et al.  Noise and Vibration Control Engineering , 2005 .

[35]  Jan-Michael Frahm,et al.  iSpy: automatic reconstruction of typed input from compromising reflections , 2011, CCS '11.

[36]  Daniel A. Russell,et al.  Acoustic monopoles, dipoles, and quadrupoles: An experiment revisited , 1999 .

[37]  Avery Wang,et al.  The Shazam music recognition service , 2006, CACM.