We’re all pretty used to two-factor authentication now, and it isn’t much of an inconvenience to have to type in a four-digit code when you log in from a new location. But some Swiss security researchers came up with a smart way to authenticate without even that tiny amount of work: ambient noise.
The idea behind multi-factor authentication is basically making sure that a login is by the actual user, not an impersonator or hacker. Sending a code to a second device owned by the user is one way to check, but it’s far from the only option.
Futurae is a spin-off company from the Swiss Federal Institute of Technology Zurich — ETHZ in Swiss — that uses the environment itself as an authentication token in a piece of software it calls Sound-Proof.
When a service wants to do an authentication check, it queries the device attempting to log in and the user’s personal device, probably a smartphone. It records 3 seconds of audio on each and compares them; if the two are substantially similar, the conclusion is that the user is in the same place as the device logging in, and therefore it must be legitimate, and the login proceeds.
For example, if the same part of the same song was playing in the background for both devices, or speech with the same peaks or words, that would be okay. But if the phone heard only birdsong and the laptop heard a crowd of voices, that would be a no go. The company claims it works if your phone is in your pocket, your bag or even an adjoining room.
If it’s totally quiet, ultrasound can be used in place of background noise, with the login-requesting device firing off a series of chirps inaudible to the human ear but able to be picked up by the app on the phone.
Naturally all this is compared strictly on the waveform level and the sounds sampled never leave the device.
Sure, it isn’t going to replace numerical tokens or dongles altogether, but it could be used as an additional factor or risk assessment technique.
Futurae recently won 130,000 Swiss francs (which are almost exactly equivalent to U.S. dollars right now) from the local Venture Kick competition; the company plans to use the cash to bring Sound-Proof from demo form to commercial product.