Internet users who think two taps on a smartphone is two taps too much may soon be able to use seamless second factor authentication that verifies a person is in possession of their phone by matching ambient noise sound prints.
Researchers Nikolaos Karapanos, Claudio Marforio, Claudio Soriente, and Srdjan Capkun of the University of Zurich say identities can be verified by matching short sound recordings captured by user's phone with that recorded on a desktop or laptop.
The "Sound-Proof" verification process, which occurs without user interaction, can determine that a user and their two factor device are in the same room.
"One reason why two-factor authentication is so unpopular is the extra steps that the user must complete in order to log in," the team says in the paper Sound-Proof: Usable Two-Factor Authentication Based on Ambient Sound PDF]
"In Sound-Proof the second authentication factor is the proximity of the user’s phone to the device being used to log in.
"Audio recording and comparison are transparent to the user, so that the user experience is similar to the one of password-only authentication."
Sound-Proof with no or limited modification will will work on current model Android and iOS phones and is tested on the Samsung Galaxy S3, Google Nexus 4, and iPhone 6. It functions on new version WebRTC-compliant browsers such as Firefox and Chrome.
The researchers find ambient noise-based 2FA saves 25 seconds compared to app-tapping alternatives and as a result is preferable to Google's popular two factor authenticator app according to a user study.
Sound-Proof authentication overview.
The boffins also asked 32 folks, none security experts, how they feel about this form of 2FA: most said they would prefer it over no 2FA being used.
The team which presented the work at the USENIX security conference contends that ambient noise is a "robust" authentication mechanism, noting the smartphone app will work even if it records through a pocket or purse.
It "fares well" outdoors and will prompt users to "clear their throat" if they are in a particularly quiet area.
Users can login on a single device if it allows the web browser and the Sound-Proof app concurrent access to the phone microphone.
The researchers say the platform can also be used as a form of continuous authentication, and sports brute-force rate limiting and maintains logs of login attempts.
The app will fall back to conventional two factor authentication codes in the event of failure. ®