Character passwords alone aren’t very secure, but we continue to use them simply because two-factor authentication—which, in the case of online accounts, usually includes entering a character password as well as another piece of info sent to a mobile device—is tedious and time-consuming.
Researchers have, however, just discovered a way to breeze through that second step. What they’re calling “Sound-Proof” is a two-factor authentication mechanism that’s transparent to users and unlocks your account simply by having your phone nearby.
Here’s how it works: A user logs into their account with their password as per usual. Then, the computer and phone record the ambient noise via their microphones. The phone then compares the two recordings to determine if the computer is located in the same environment and ultimately decide whether the login attempt is legitimate or fraudulent.
The authentication method was developed by Nikolaos Karapanos, Claudio Marforio, Claudio Soriente and Srdjan Capkun, four researchers at the Institute of Information Security ETH Zurich. They recently published their findings on the .arXiv server and presented them at the Usenix conference in Washington, DC.
“The security of Sound-Proof stems from the attacker’s inability to guess the sound in the victim’s environment at the time of the attack,” their report reads.
In their tests, the researchers found that Sound-Proof adds only about five seconds to a password-only login operation, which is a significant improvement over the 25 seconds traditional methods of two-factor verification take. Additionally, it can be used with current phones and with major browsers without any plugin.