Sound-based Two-Factor Authentication: Vulnerabilities and Redesign

IF 3 4区计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS

ACM Transactions on Privacy and Security Pub Date : 2023-11-11 DOI:10.1145/3632175

Prakash Shrestha, Ahmed Tanvir Mahdad, Nitesh Saxena

{"title":"Sound-based Two-Factor Authentication: Vulnerabilities and Redesign","authors":"Prakash Shrestha, Ahmed Tanvir Mahdad, Nitesh Saxena","doi":"10.1145/3632175","DOIUrl":null,"url":null,"abstract":"Reducing the level of user effort involved in traditional two-factor authentication (TFA) constitutes an important research topic. An interesting representative approach, Sound-Proof , leverages ambient sounds to detect the proximity between the second-factor device (phone) and the login terminal (browser), and eliminates the need for the user to transfer PIN codes. In this paper, we identify a weakness of the Sound-Proof system that makes it completely vulnerable to passive “environment guessing” and active “environment manipulating” remote attackers and proximity attackers. Addressing these security issues, we propose Listening-Watch , a new TFA mechanism based on a wearable device (watch/bracelet) and active browser-generated random speech sounds. As the user attempts to log in, the browser populates a short random code encoded into speech, and the login succeeds if the watch’s audio recording contains this code (decoded using speech recognition ), and is similar enough to the browser’s audio recording. The remote attacker, who has guessed/manipulated the user’s environment, will be defeated since authentication success relies upon the presence of the random code in watch’s recordings. The proximity attacker will also be defeated unless it is extremely close (< 50 cm) to the watch since the wearable microphones are usually designed to capture only nearby sounds (e.g., voice commands).","PeriodicalId":56050,"journal":{"name":"ACM Transactions on Privacy and Security","volume":"1 6","pages":"0"},"PeriodicalIF":3.0000,"publicationDate":"2023-11-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"ACM Transactions on Privacy and Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3632175","RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Reducing the level of user effort involved in traditional two-factor authentication (TFA) constitutes an important research topic. An interesting representative approach, Sound-Proof , leverages ambient sounds to detect the proximity between the second-factor device (phone) and the login terminal (browser), and eliminates the need for the user to transfer PIN codes. In this paper, we identify a weakness of the Sound-Proof system that makes it completely vulnerable to passive “environment guessing” and active “environment manipulating” remote attackers and proximity attackers. Addressing these security issues, we propose Listening-Watch , a new TFA mechanism based on a wearable device (watch/bracelet) and active browser-generated random speech sounds. As the user attempts to log in, the browser populates a short random code encoded into speech, and the login succeeds if the watch’s audio recording contains this code (decoded using speech recognition ), and is similar enough to the browser’s audio recording. The remote attacker, who has guessed/manipulated the user’s environment, will be defeated since authentication success relies upon the presence of the random code in watch’s recordings. The proximity attacker will also be defeated unless it is extremely close (< 50 cm) to the watch since the wearable microphones are usually designed to capture only nearby sounds (e.g., voice commands).

查看原文本刊更多论文

基于声音的双因素身份验证:漏洞和重新设计

减少传统的双因素身份验证(TFA)所涉及的用户工作量是一个重要的研究课题。一种有趣的代表性方法，Sound-Proof，利用环境声音来检测第二因素设备(电话)和登录终端(浏览器)之间的接近程度，并且消除了用户传输PIN码的需要。在本文中，我们确定了隔音系统的一个弱点，使其完全容易受到被动的“环境猜测”和主动的“环境操纵”远程攻击者和近距离攻击者的攻击。为了解决这些安全问题，我们提出了listen - watch，一种基于可穿戴设备(手表/手环)和主动浏览器生成随机语音的新TFA机制。当用户尝试登录时，浏览器将填充一个短的随机代码编码为语音，如果手表的音频记录包含此代码(使用语音识别解码)，并且与浏览器的音频记录足够相似，则登录成功。远程攻击者，谁已经猜到/操纵用户的环境，将被击败，因为身份验证的成功依赖于手表的记录中随机代码的存在。近距离攻击者也将被击败，除非它非常接近(<50厘米)，因为可穿戴式麦克风通常被设计为只捕捉附近的声音(例如语音命令)。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

ACM Transactions on Privacy and Security Computer Science-General Computer Science

CiteScore

5.20

自引率

0.00%

发文量

期刊介绍： ACM Transactions on Privacy and Security (TOPS) (formerly known as TISSEC) publishes high-quality research results in the fields of information and system security and privacy. Studies addressing all aspects of these fields are welcomed, ranging from technologies, to systems and applications, to the crafting of policies.