Sound-Proof: Usable Two-Factor Authentication Based on Ambient Sound (1503.03790v3)

Abstract: Two-factor authentication protects online accounts even if passwords are leaked. Most users, however, prefer password-only authentication. One reason why two-factor authentication is so unpopular is the extra steps that the user must complete in order to log in. Currently deployed two-factor authentication mechanisms require the user to interact with his phone to, for example, copy a verification code to the browser. Two-factor authentication schemes that eliminate user-phone interaction exist, but require additional software to be deployed. In this paper we propose Sound-Proof, a usable and deployable two-factor authentication mechanism. Sound-Proof does not require interaction between the user and his phone. In Sound-Proof the second authentication factor is the proximity of the user's phone to the device being used to log in. The proximity of the two devices is verified by comparing the ambient noise recorded by their microphones. Audio recording and comparison are transparent to the user, so that the user experience is similar to the one of password-only authentication. Sound-Proof can be easily deployed as it works with current phones and major browsers without plugins. We build a prototype for both Android and iOS. We provide empirical evidence that ambient noise is a robust discriminant to determine the proximity of two devices both indoors and outdoors, and even if the phone is in a pocket or purse. We conduct a user study designed to compare the perceived usability of Sound-Proof with Google 2-Step Verification. Participants ranked Sound-Proof as more usable and the majority would be willing to use Sound-Proof even for scenarios in which two-factor authentication is optional.

• The paper introduces Sound-Proof, a two-factor authentication method that uses ambient sound comparison to verify user proximity, aiming to improve usability and deployment.
• User studies show Sound-Proof has a significantly higher System Usability Scale (SUS) score (91.09) than Google 2SV (79.45) and a low Equal Error Rate (EER) of 0.0020, demonstrating high usability and efficacy.
• Sound-Proof offers broad compatibility with existing smartphone and browser technologies and requires minimal user interaction, potentially increasing 2FA adoption despite a vulnerability to co-located attacks.

Overview of Sound-Proof: Usable Two-Factor Authentication Based on Ambient Sound

The paper presents Sound-Proof, a two-factor authentication (2FA) mechanism that leverages ambient sound to verify user proximity, providing a robust yet user-friendly solution to the deployment of 2FA. This innovation addresses the pervasive issue of user dissatisfaction with traditional 2FA methods, which often involve cumbersome user-phone interactions.

Sound-Proof capitalizes on existing infrastructure, requiring no additional hardware or software installations on devices beyond a mobile application, thereby enhancing its deployability. The mechanism primarily relies on comparing ambient noise recorded by the microphones of both the user's phone and the device used for login, verifying proximity without requiring any action from the user.

Key Findings

The research highlights several critical findings from both evaluations and user studies:

• Deployment and Compatibility: Sound-Proof can be seamlessly integrated with current smartphone and browser technologies, such as HTML5-compliant browsers utilizing the WebRTC API. This feature ensures broad compatibility across various platforms.
• Usability Assessment: Through a user paper comparing Sound-Proof with Google 2-Step Verification (2SV), it was found that participants rated Sound-Proof significantly higher in terms of usability, recording a System Usability Scale (SUS) score of 91.09 compared to Google 2SV's 79.45. Notably, the login time with Sound-Proof was markedly reduced, enhancing user experience.
• Numerical Evidence: The paper reports that the Equal Error Rate (EER) for Sound-Proof was minimized to 0.0020 under optimal settings, demonstrating its efficacy in distinguishing legitimate from fraudulent login attempts. Furthermore, the method performed reliably across various environments, user activities, and phone placements.

Implications and Discussion

The implications of Sound-Proof extend beyond mere usability improvements. It suggests a paradigm shift towards more seamless authentication experiences, potentially leading to broader adoption of 2FA by reducing user resistance. This could be particularly beneficial in contexts such as online banking or email accounts, where robust security is paramount, yet user friction needs to be minimized.

Theoretically, Sound-Proof contributes to a wider discourse on user-centric security measures, emphasizing minimal interaction and transparency. Practically, it addresses an immediate need for deployable, non-intrusive security solutions that do not compromise on safety or accessibility.

Despite these strengths, the research acknowledges the limitations of Sound-Proof, particularly its vulnerability to co-located attacks. This trade-off highlights a critical consideration in security design: balancing user convenience with sufficient security measures against sophisticated threats.

Conclusion

Sound-Proof exemplifies an innovative approach to 2FA, demonstrating both feasibility and enhanced user experience through empirical studies. By minimizing user-phone interaction, it holds promise for increased adoption of 2FA, essential in an era where digital security and user convenience are equally prioritized. As the research trajectory in AI and security evolves, Sound-Proof serves as a testament to the potential of ambient intelligence in enhancing digital authentication processes. Future work could explore integrating multi-modal sensor data to further fortify and broaden the applicability of such security measures.