Two factor authentication: Using random noise to make passwords stronger

There are several ways we access our various accounts.  We can use one, two and/or three factors of authentication to access them.

Something you know

The most basic method of encryption and protecting access to your information is a single password sign-on.  We use passwords all the time when we log-in to our e-mails or social media profiles for example.

However, passwords can be easily compromised.  Therefore, two-factor authentication can be put in place as a way to make general password protection stronger against leaks and attacks.

Something you have

The next level of protection validates you (the user of an account) based on something in your possession.  When you activate the device it will issue you a one-time password that is valid for a limited time for the purpose of accessing an account.

These are very popular for online banking because if an attacker has your account number the attacker can do very little without the authentication device when trying to use your account online.

This is why the addition of a "something you have" authentication device is much more viable and secure than a single password sign-in.

Something you are

Biometrics are probably the most recognizable form of "what-you-are" verification.  Images are produced using initial scans of a physical part of the body, such as a finger print.

Specific characteristics are noted and kept in the device's memory to be matched during future authentications.  The possibilities for biometrics do not stop there as behaviour, such as a specific speech pattern or inflection, is also measurable and able to be used as a third factor of authentication.

Back to the topic…

Now we have covered the basics of authentication it should be clear that one factor authentication (i.e. using a password alone) is not suitable; we should, at a minimum use two factor authentication.

Two-factor authentication provides much better security than a password alone, and we really should enable it everywhere we can: e-mail, social media account, access to bank details.  However, one of the issues many of us have is every time we want to log-in to an account we have to get out our authentication token, activate the authentication code, and type it in.  If we type too slowly, the code changes and we have to start again.

Fortunately for those who are easily frustrated, researchers from the Swiss Federal Institute of Technology in Zurich say they have found a way to make two-factor authentication painless.  In this paper they describe their Sound-Proof tool.

When you try to log-in to a site that has Sound-Proof installed, the server will ping a notification to an app on you phone.  Then both your phone and your web browser will record a few seconds of ambient sound.  This noise is unique and never repeated elsewhere, for example the clinking of a spoon in a cup of tea or the distant murmur of a conversation is all that is needed.  There is no need to unlock your phone or even take it out of your pocket or purse as the recording is triggered automatically by the remote server.  The software then creates a digital signature based on this noise and uploads it the server which compares the two signatures.  If they match, then the server assesses your phone is in the same room as the computer you are trying to log-in from and grants access.

To protect our privacy, the app does not upload the audio itself, just the digital signature, and to preserve battery life it does not start recording until it receives the push notification from the server.

There are some vulnerabilities.  The most obvious one is that if someone is in the same room and has your password they could access your account.  There is also the possibility that if someone is watching the exact same TV broadcast that you are they might be able to spoof the request, depending on other ambient sound in the room, as well as differences in broadcast latencies.  However, researchers think such targeted attacks will be uncommon.

For now, Sound-Proof is just a research project.  It is advisable to use the two factor authentication options for your various accounts that are currently available as it is better than having no authentication at all.