ABSTRACT
Reducing the level of user effort involved in traditional two-factor authentication (TFA) constitutes an important research topic. A recent effort in this direction leverages ambient sounds to detect the proximity between the second factor device (phone) and the login terminal (browser), and eliminates the need for the user to transfer PIN codes. This approach is highly usable, but is completely vulnerable against far-near attackers, i.e., ones who are remotely located and can guess the victim's audio environment or make the phone create predictable sounds (e.g., ringers), and those who are in physical proximity of the user.
In this paper, we propose Listening-Watch, a new TFA mechanism based on a wearable device (watch/bracelet) and active browser-generated random speech sounds. As the user attempts to login, the browser populates a short random code encoded into speech, and the login succeeds if the watch's audio recording contains this code (decoded using speech recognition), and is similar enough to the browser's audio recording. The remote attacker, who has guessed the user's environment or created predictable phone/watch sounds, will be defeated since authentication success relies upon the presence of the random code in watch's recordings. The proximity attacker will also be defeated unless it is extremely close to the watch, since the wearable microphones are usually designed to be only capable of picking up nearby sounds (e.g., voice commands). Furthermore, due to the use of a wearable second factor device, Listening-Watch naturally enables two-factor security even when logging in from a mobile phone.
Our contributions are three-fold. First, we introduce the idea of strong and low-effort TFA based on wearable devices, active speech sounds and speech recognition, giving rise to the Listening-Watch system that is secure against both remote and proximity attackers. Second, we design and implement Listening-Watch for an Android smartwatch (and companion smartphone) and the Chrome browser, without the need for any browser plugins. Third, we evaluate Listening-Watch for authentication errors in both benign and adversarial settings. Our results show that Listening-Watch can result in minimal errors in both settings based on appropriate thresholdization and speaker volume levels.
- Yubico AB. 2017. Yubico | Trust the Net with YubiKey Strong Two-Factor Authentication. Retrieved May 13, 2017 from https://www.yubico.com/Google Scholar
- Authy. 2017. Two-Factor Authentication - Authy. Retrieved May 13, 2017 from https://www.authy.com/Google Scholar
- Joseph Bonneau, Cormac Herley, Paul C Van Oorschot, and Frank Stajano. 2012. The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. In Security and Privacy (SP), 2012 IEEE Symposium on. IEEE, 553--567. Google ScholarDigital Library
- Cd3dtech. 2017. How to Play Music Through the Internal Pc Speaker. Retrieved December 31, 2017 from https://cd3dtech.com/tutorials/general/how-to-play-music-through-the-internal-pc-speakerGoogle Scholar
- Celestix. 2017. Celestix HOTPin Two Factor Authentication. Retrieved May 13, 2017 from http://www.celestixworks.com/HOTPin.aspGoogle Scholar
- Chrome. 2017. Bluetooth - Google Chrome. Retrieved May 13, 2017 from https://developer.chrome.com/apps/app_bluetoothGoogle Scholar
- Alexei Czeskis, Michael Dietz, Tadayoshi Kohno, Dan Wallach, and Dirk Balfanz. 2012. Strengthening user authentication through opportunistic cryptographic identity assertions. In Proceedings of the 2012 ACM conference on Computer and communications security. ACM, 404--414. Google ScholarDigital Library
- Jun Du and Qiang Huo. 2011. A feature compensation approach using high-order vector Taylor series approximation of an explicit distortion model for noisy speech recognition. IEEE Transactions on Audio, Speech, and Language Processing 19, 8 (2011), 2285--2293. Google ScholarDigital Library
- Ramón Fernández Astudillo. 2010. Integration of Short-Time Fourier Domain Speech Enhancement and Observation Uncertainty Techniques for Robust Automatic Speech Recognition. (2010).Google Scholar
- Mozilla Foundation. 2017. Web Bluetooth API (Firefox OS. Retrieved May 13, 2017 from https://developer.mozilla.org/en-US/docs/Archive/B2G_OS/Bluetooth_APIGoogle Scholar
- John Gibson. 2017. Introduction to MIDI and Computer Music: The MIDI Standard. Retrieved December 31, 2017 from http://www.indiana.edu/~emusic/361/midi.htmGoogle Scholar
- Michael T Goodrich, Michael Sirivianos, John Solis, Gene Tsudik, and Ersin Uzun. 2006. Loud and clear: Human-verifiable authentication based on audio. In Distributed Computing Systems, 2006. ICDCS 2006. 26th IEEE International Conference on. IEEE, 10--10. Google ScholarDigital Library
- Tzipora Halevi, Di Ma, Nitesh Saxena, and Tuo Xiang. 2012. Secure proximity detection for NFC devices based on ambient sensor data. In Computer Security--ESORICS 2012. Springer, 379--396.Google Scholar
- International Data Corporation (IDC). 2017. Basic Trackers Take a Back Seat as Smartwatches Accelerate in the Second Quarter, According to IDC. Retrieved December 28, 2017 from https://goo.gl/2wDj4xGoogle Scholar
- Analog Devices Inc. 2017. Understanding Microphone Sensitivity. Retrieved October 27, 2017 from https://goo.gl/WJhdCiGoogle Scholar
- Duo Security Inc. 2017. Easy Authentication: Duo Security. Retrieved May 13, 2017 from https://duo.com/solutions/features/user-experience/easy-authenticationGoogle Scholar
- Gartner Inc. 2017. Gartner Says Worldwide Wearable Device Sales to Grow 17 Percent in 2017. Retrieved December 28, 2017 from https://goo.gl/z7DTz1Google Scholar
- Google Inc. 2017. Google 2-Step Verification. Retrieved May 13, 2017 from https://www.google.com/landing/2step/Google Scholar
- Google Inc. 2017. Speech API - Speech Recognition | Google Cloud Platform. Retrieved May 13, 2017 from https://cloud.google.com/speech/Google Scholar
- Nikolaos Karapanos, Claudio Marforio, Claudio Soriente, and Srdjan Capkun. 2015. Sound-proof: usable two-factor authentication based on ambient sound. In USENIX Security Symposium. Google ScholarDigital Library
- Zbyn ek Koldovsky, Jirí Málek, Jan Nouza, and Miroslav Balík. 2011. CHiME data separation based on target signal cancellation and noise masking. In Machine Listening in Multisource Environments.Google Scholar
- Greg Kumpardk. 2014. Google Acquires SlickLogin, The Sound-Based Password Alternative | TechCrunch. Retrieved May 13, 2017 from http://techcrunch.com/2014/02/16/google-acquires-slicklogin-the-sound-based-password-alternative/Google Scholar
- Shrirang Mare, Andrés Molina Markham, Cory Cornelius, Ronald Peterson, and David Kotz. 2014. Zebra: Zero-effort bilateral recurring authentication. In Security and Privacy (SP), 2014 IEEE Symposium on. IEEE, 705--720. Google ScholarDigital Library
- MathWorks. 2017. Butterworth filter design. Retrieved May 13, 2017 from http://www.mathworks.com/help/signal/ref/butter.htmlGoogle Scholar
- DPA Microphones. 2017. Large vs small diagpragms in microphones. Retrieved October 27, 2017 from https://goo.gl/TGjckeGoogle Scholar
- Nymi. 2017. Nymi | Always On Authentication. Retrieved October 27, 2017 from https://nymi.com/Google Scholar
- Ornate. 2017. Ornate TrueSmart. Retrieved May 13, 2017 from https://www.omate.com/Google Scholar
- World Health Organization. 2017. Make Listening Safe. Retrieved October 28, 2017 from https://goo.gl/4hfd98Google Scholar
- RSA. 2017. SecurID | RSA Security Token Based Authentication. Retrieved May 13, 2017 from https://www.yubico.com/Google Scholar
- Samsung. 2017. Samsung Gear S Smartwatch | Samsung. Retrieved May 13, 2017 from http://www.samsung.com/us/explore/gear-s-features-and-specs/Google Scholar
- Maliheh Shirvanian, Stanislaw Jarecki, Nitesh Saxena, and Naveen Nathan. 2014. Two-Factor Authentication Resilient to Server Compromise Using Mix-Bandwidth Devices.. In Network and Distributed System Security Symposium.Google ScholarCross Ref
- Babins Shrestha, Maliheh Shirvanian, Prakash Shrestha, and Nitesh Saxena. {n. d.}. The Sounds of the Phones: Dangers of Zero-Effort Second Factor Login based on Ambient Audio.. In Conference on Computer and Communications Security. Google ScholarDigital Library
- Claudio Soriente, Gene Tsudik, and Ersin Uzun. 2008. HAPADEP: human-assisted pure audio device pairing. Information Security (2008), 385--400. Google ScholarDigital Library
- Study-Body-Language. 2017. Personal Distance -- Zones. Retrieved October 27, 2017 from http://www.study-body-language.com/Personal-distance.htmlGoogle Scholar
- Western Michigan University. 2017. Solfa Cipher. Retrieved December 31, 2017 from http://www.wmich.edu/mus-theo/solfa-cipher/Google Scholar
- Oriol Vinyals and Suman V Ravuri. 2011. Comparing multilayer perceptron to deep belief network tandem features for robust ASR. In Acoustics, Speech and Signal Processing (ICASSP), 2011 IEEE International Conference on. IEEE, 4596--4599.Google ScholarCross Ref
- WebRTC. 2017. WebRTC Home | WebRTC. Retrieved May 13, 2017 from https://webrtc.org/Google Scholar
- Felix Weninger, Martin Wöllmer, Jürgen Geiger, Björn Schuller, Jort F Gemmeke, Antti Hurmalainen, Tuomas Virtanen, and Gerhard Rigoll. 2012. Non-negative matrix factorization for highly noise-robust asr: To enhance or to recognize?. In Acoustics, Speech and Signal Processing (ICASSP), 2012 IEEE International Conference on. IEEE, 4681--4684.Google ScholarCross Ref
- Brett Williams. 2017. Smartwatches surge to take the wearable crown. Retrieved December 28, 2017 from https://goo.gl/tJRfYGoogle Scholar
- Kevin W Wilson, Bhiksha Raj, Paris Smaragdis, and Ajay Divakaran. 2008. Speech denoising using nonnegative matrix factorization with priors. In Acoustics, Speech and Signal Processing, 2008. ICASSP 2008. IEEE International Conference on. IEEE, 4029--4032.Google Scholar
- Paul A Zandbergen and Sean J Barbeau. 2011. Positional accuracy of assisted gps data from high-sensitivity gps-enabled mobile phones. Journal of Navigation 64, 03 (2011), 381--399.Google ScholarCross Ref
Recommendations
Guess who is listening in to the board meeting: on the use of mobile device applications as roving spy bugs
Covert listening devices-a combination of a miniature radio transmitter and a microphone-have been used as key espionage instruments as early as the mid-20th century. More recently, hackers have started exploiting inherent weaknesses in current mobile ...
The listening room: a speech-based interactive art installation
MM '07: Proceedings of the 15th ACM international conference on MultimediaIn this paper we will present The Listening Room, an interactive audio installation that holds more or less meaningful conversations with up to three people at any one time. Conceived as an artwork that explores the boundaries between virtual and 'real ...
Comments