University of Alabama’s Nitesh Saxena and Prakash Shrestha have developed a new method to make two-factor authentication (2FA) super easy and secure — Listening-Watch. It involves a wearable device that uses speech signals and is not vulnerable to near or far attacks.
The Listening-Watch system uses an activity tracker or a smartwatch and random browser-generated speech sounds. It is a redesigned approach, expanding upon the previous “Sound-Proof” approach that relied on ambient sounds and ended up being “completely vulnerable” to attackers who were near the user, as well as remote attackers.
With Listening-Watch, the browser would play back “a short random code encoded into human speech” when a user attempts to login. “The login succeeds if the watch’s audio recording contains this code (decoded via speech recognition technology) and is similar enough to the browser’s audio recording (i.e., audio recorded through the microphone at the login terminal).”
2 key security features in Listening-Watch
Saxena, Ph.D., professor in the College of Arts and Sciences Department of Computer Science at University of Alabama at Birmingham (UAB), told UAB News, “Listening-Watch offers two key security features. It uses random code encoded into speech to withstand remote attackers. Low-sensitivity microphones found in current wearable devices cannot capture distant sounds, which will thwart proximity attackers.”
UAB News added:
In a real-world scenario, two-factor authentication using “Listening-Watch” would be implemented by using an application installed on the wearable device. Push messages would prompt the device to record and decode speech sounds played by the browser. When a user attempts to log in, the browser of the primary device, such as a PC terminal, laptop, smartphone or tablet, plays back a short random code encoded into human speech, and the login succeeds if the watch’s audio recording contains the same code and is similar enough to the browser’s audio recording. The speech is decoded using voice recognition technology.
Even if a remote attacker knew the user’s environment, his or her attacks against Listening-Watch would reportedly fail, “since authentication success relies upon the presence of the random code in watch’s recordings.”
The researchers explained on the UAB SPIES site:
Unlike traditional TFA, Listening-Watch does not require the users to perform any actions while attempting to login to the system except entering their credentials. Interaction may be needed only in occasional cases where terminal cannot play back audio and require a fall back authentication process. Although there is the presence of active sounds in the authentication process, Listening-Watch does not require the user to interact with the second authentication factor. So Listening-Watch is effectively a minimal-interaction approach that significantly reduces the interaction between the user and the authenticating token.
According to the research paper “Listening-Watch: Wearable Two-Factor Authentication using Speech Signals Resilient to Near-Far Attack” (pdf), “At its core, Listening-Watch uses speech transcription and audio correlation analysis to extract the verification code and determine the proximity between the watch and the terminal. Although Listening-Watch creates an active sound that may be distractive to the user in contrast to traditional password-only authentication, it significantly enhances the security of the authentication system (to a level equivalent to that of traditional TFA schemes) without imposing much burden on the user.”