What is "Sound-Proof" which uses "sound" to perform two-step authentication of online accounts?

ByDeclan ™

"Two-step authentication" which transmits double digit by sending an authentication number to your smartphone etc. for the purpose of protecting the account information of the web service can prevent account hijacking even if a password leaks by any chance It is an effective means. However, with 2-step authentication, it is necessary to read the authentication number displayed on the smartphone and input it to the PC, which takes more time and effort than normal login. By omitting such troublesome work, we will automatically perform 2-step authentication by using the surrounding "sound"Sound-Proof"Was announced.

Sound-Proof
http://sound-proof.ch/

Sound-Proof: Usable Two-Factor Authentication Based on Ambient Sound | USENIX
https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/karapanos

The Noise Around You Could Strengthen Your Passwords | WIRED
http://www.wired.com/2015/08/noise-around-strengthen-passwords/

With 2-step verification using "Sound-Proof", you can just put a registered smartphone near the terminal such as PC you want to login to web service, and you do not need to open the screen of the smartphone. Two terminals detect the ambient noises and compare each other's collected sounds to authenticate account information. Since sound collection and authentication are done automatically, the user just has to wait without doing anything. At the time of writing the article, Sound-Proof is compatible with major browsers such as Chrome, Firefox, Opera.

To perform 2-step authentication using Sound-Proof, first set up the smartphone so that it can be used as a terminal for authentication. In addition, we do not need applications etc. when registering terminals.


And just as usual you just log in to webmail and shopping site on PC. Two-step authentication is done without problem even if smartphones are put in pocket or bag.


2-step verification is done in less than 3 seconds, and it takes time and effort to "confirm the authentication number on the screen of the smartphone and enter it on the PC" as before. Also, when comparing the two sounds, since the smartphone generates a "digital signature" based on the surrounding sound and uploads this data to the server, the recorded sound is used as it is Privacy is protected so that personal information never leaks.


Demonstration of 2-step authentication using Sound-Proof is as follows. First of all, log in to web service using PC as usual.


Then the PC and smartphone automatically start recording the surrounding sound.


Comparing and authenticating sounds recorded by two devices, logging in using 2-step authentication in just about 2 seconds is completed.


Next, experiment with the smartphone kept in the bag.


Logging in to web service ......


Recording of environmental sound automatically starts ......


Authentication succeeded.


On the other hand, there is concern that Sound-Proof 2-step authentication may be overcome if an attacker who illegally obtains a password is near the user or watching the same TV program. About this vulnerability, in the paper, "There are few attacks targeting specific users, although there are risks, there are certainly risks, but two-step verification should be used to protect your account."

The research team of Zurich Technical University, Switzerland, created Sound-Proof. Claudio Marforio, a member, said, "We are planning to continue researching Sound-Proof in the future, and we are now improving the system to increase the speed of authentication and increase the accuracy of comparing the sounds sensed by the two terminals We are in the process and we hope to establish a startup eventually using the technology of Sound-Proof. "