Last year after nude photos apparently stolen from various celebrities’ iCloud accounts began circulating on Reddit, Apple responded by telling people to enable a feature called “two-factor authentication.”
The idea is simple. When you try to log in to your iCloud account, Apple sends your phone a four-digit code that you have to enter in addition to your password. That way, if someone only has your password, they can’t get in; they would also need physical access to your phone to hijack your account.
Two-factor authentication provides much better security than a password alone, and you really should enable it everywhere you can: Gmail, Facebook, Twitter, your bank. But there is one big problem with it: it’s really annoying. Every time you want to log in to a site, you have to get your phone out, unlock it, find the authentication code, and type it in. If you type too slowly, the code changes and you’ve gotta try again. For far too many people, this is just too big of a hassle, so they leave themselves open to attack.
But a team of researchers from the Swiss Federal Institute of Technology in Zurich say they’ve found a way to make two-factor authentication painless. In a paper they will present Thursday at the security conference Usenix, the team describes a tool they’ve crafted called Sound-Proof.
When you try to login to a site that has Sound-Proof installed, the server will ping an app on your phone. Then both your phone and your web browser will record a few seconds of ambient sound. You don’t need to unlock your phone or even take it out of your pocket or purse, as the recording is triggered automatically by the server. The software then creates a digital signature based on this noise and uploads it the server, which compares the two signatures. If they match, then the server assumes your phone is in the same room as the computer you’re trying to log in from and lets you in. The hum of an air conditioner, the clinking of silverware against a plate, or the distant murmur of traffic is all the server needs.
You can think of it as a bit like Shazam, the mobile app that can identify songs playing in a bar or a restaurant by compare the unique sonic qualities of different songs. But Claudio Marforio, one of the co-authors of the paper, tells Wired in an email that the underlying algorithms are completely different. “We tried to use a similar approach in a first prototype but it was not yielding good results, most probably due to the different usage scenario,” Marforio says.
To protect your privacy, the app doesn’t upload the audio itself, just the digital signature. And to preserve battery life, it doesn’t start recording until it receives the push notification from the server.
The paper also includes the results of a usability study the team conducted, which found that most people polled would prefer to use Sound-Proof instead of Google’s two-factor system if given the choice, in at least some situations. But the Sound-Proof team aren’t the only ones trying to make two-factor authentication easier. Companies like Authy have created apps that transmit data over Bluetooth without the need for user interaction. The problem is that this requires you to install some additional software, which won’t help you log in to your favorite apps from someone else’s computer. Sound-Proof, on the other hand, requires a mobile app but no plugins or software on the desktop or laptop.
There are, of course, some vulnerabilities. The most obvious one is that if someone is in the same room as you—at a coffee shop for example—and has your password, he or she could access your account. There’s also the possibility that if someone is watching the exact same TV or radio broadcast that you are, he or she might be able to spoof the request, depending on other ambient sound in the room, as well as differences in broadcast latencies. But the researchers think such targeted attacks will be uncommon. And besides, they argue, it would be far better than not using two-factor authentication at all, which is the far more likely outcome, according to their research.
For now, Sound-Proof is just a research project, but Marforio says that may change soon. “At the moment we are trying to improve the overall performance of the system to make the login even faster and to better compare the two audio samples in order to further improve the accuracy,” he says. “The idea is to continue working on it as a startup.”
Also in Wired: