Four researchers of ETH Zurich (KARAPANOS N., MARFORIO C., SORIENTE C., and CAPKUN S.) have disclosed at last Usenix conference an innovative two-factor authentication method which is extremely user-friendly. As many current 2FA, it employs the user’s cell phone. However, the interaction with the phone is transparent to the user.
The user initiates the login with the typical login/password process on her or his device. Then, both this device and the user’s cell phone record the ambient sound. The two captured tracks are compared to verify whether they match. If they match, the authentication succeeds. The user’s cell phone captures the sound without the user having to interact with it. The phone may even be in the user’s pocket or shirt.
Obviously, this authentication does not prevent co-localized attacks, i.e., the attacker has the victim’s credentials and is near his victim. As the victim is not aware of the audio capture, the attack would succeed. Nevertheless, many scenarios are not vulnerable to co-localized attacks.
In the proof of concept, the cell phone performs the verification and returns the result to the login server. I do not find a reason this check could not be varied out by the server rather than by the phone. This modification would eliminate one security assumption of the trust model: the integrity of the software executing on the phone. The comparison would be more secure on the server.
A very interesting concept.
Karapanos, Nikolaos, Claudio Marforio, Claudio Soriente, and Srdjan Capkun. “Sound-Proof: Usable Two-Factor Authentication Based on Ambient Sound.” In 24th USENIX Security Symposium (USENIX Security 15), 483–98. Washington, D.C.: USENIX Association, 2015. https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/karapanos.