The term two-factor authentication is known for the majority of active users of the Internet. It is available on a variety of well-established websites conducting the work with the data of users: in social networks, email services, online banking. But unfortunately, not all the users use the benefits of this type of authentication. The most frequently this occurs because of some inconvenience with the standard 2FA procedure.
The main reason of the inconvenience is that for getting a one-time password a user has to receive an SMS on his phone or to generate it with the help of software or hardware token.
If you are using SMS authentication it is required:
- to have the phone by your side;
- to gave a stable signal of mobile connection (which is available not always and not everywhere);
- some efforts from the user: to unlock the phone, to read the message, to enter the received OTP code in the browser and to send the confirmation form.
If you are using tokens, there are a number of other inconveniences:
- to get the token you must go to the bank;
- you always need to have the device with you;
- the PIN-code of the token should be kept in mind (or written down in a safe place);
- you have to make sure that the token will not be lost.
As the practice shows, not everyone is ready for such sacrifices – even for their own safety. Therefore, software developers and experts on data protection are constantly improving the means of authentication, in every way trying to make the process easier for the owners of the accounts.
For example, biometric authentication methods (retinal scans, fingerprints, selfie authentication) are actively developed. And not so long ago a team in Zurich, working in the ETH, invented a new way in which the two-factor authentication is performed automatically and does not require any effort, except the installation of a single application on a smartphone. This technology is called ‘Sound-Proof’, and it is based on the recording and further comparison of background noise at the location of the user.
How the protection of data by this method is implemented?
When there is an attempt to enter the site that supports the ‘Sound-Proof’ method, the application installed on the phone is recording the background noise for three seconds at the place where the user is located. At the same time, the computer microphone is also recording the noise. Then the recordings are being matched on the server. If the background noises are the same, this means that both devices (the computer and the smartphone) are in one place, and data protection system allows entry into account.
To navigate the system it is not necessary to install any software on the computer, you just must have the application on your phone or tablet and permit your browser to use the microphone. That means that you can carry out authorization from someone else’s laptop or computer (for example, in a cafe). Even the phone itself does not need to be taken with you: the app works independently in the background. However, the smartphone or tablet should be connected to the network by the Wi-Fi or mobile internet.
Judging by the number of users, the efforts spent for the authentication process (or rather, lack of it) – this method is almost perfect. But is it really perfect in everything?
Some disadvantages of new technology
- If the site that uses a comparison of background noises will be visited frequently, the implementation of the method may require the processing of large amounts of data servers. It means that a very powerful and expensive equipment will be required.
- The quality of the phone’s and the computer’s microphones can be quite different so the recordings of the noise can also differ. Moreover, some computers do not have a microphone at all.
- In the case when malicious efforts are aimed at a certain person, it will be easy for the hacker to come at the same place as the potential victim is. Then background noises will match.
- A hacker can carry out auto-entering and log in after comparing noises on the server, pretending to be the user. It’s possible since with such a method of authentication no other data, except the background noise, is analyzed. (In contrast to the CWYS function, used in the OCRA algorithm, which takes into account the number of additional parameters of the specific transaction). Moreover, since the application works in the background, the user can learn that his account was hacked only when his funds have gone to another account and it will not be possible to cancel the operation.
- It should not be forgotten that in the course of such authorization the probabilistic assessment is applied. This means that using a certain threshold, which helps to define the coincidence of two recordings of sound, is likely to make a mistake, denying the correct conclusion or accepting a false one.
Is it worth to use this method of authentication?
To log into some accounts, mainly entertainment ones, a method of comparing the background noise can be quite convenient. It is unlikely that a hacker will follow on the user in the coffee shop or in another public place to hack his/her Facebook account.
As for accounts that provide access to financial transactions, there is a need in more reliable and proven authentication methods. The best solution is still the OTP token. The advantage of this method is not only in its high reliability but also in the possibility to configure the authentication procedure according to the needs of the client.
Thus, products of the Protectimus company include both the data signing function (CWYS), with which two-factor authentication becomes even more reliable and can protect the user from data modification, Automated Transfer System and replacement, and the intellectual identification, which is able to make the entry to the account easier in some cases.
There are various authentication technologies, and only the client has the right to decide which one is the most appropriate in every particular case. It is necessary to remember that you do not always have to choose the most simple and the least burdensome way because securely protected data is not worth saving neither time nor money.