So new this week is the idea of “Sound Proof” authentication. The idea is that the microphone on your device would listen to the background noise where you are and determine if you are who you say you are.
From one standpoint, it sounds great: you don’t need to enter anything, do anything, it’s automatic and can supposedly even work while in a bag. How can 2FA get any simpler? It knows where you are, and lets you in.
But the problems seem obvious, so I’ll stick to a few big ones. Let’s start with how does it know its you that has the phone? What if someone takes it, and having followed me, knows where I use it (say the local Peet’s), and tries to login? How does it know I’m at the Peet’s anyway? Is that because it’s using GPS and Wi-Fi data, which could be used for location-based authentication without the background noise?
For another one, how about knowing when I need to authenticate? If it can be used while still in a bag that implies it could be used to verify me without me actually using it, but that means the microphone needs to be on ALL THE TIME! Aside from the battery issue of doing this, that means it’s always listening (and you thought the Samsung TV and the Amazon Echo were bad, you take your phone with you everywhere, not just your house). The authors note that it needs to look only for sound signatures because of privacy concerns, but how much can you trust someone in the cloud to not start listening in on anything you are doing just so you can have an easier login? Maybe you should just set it up for voice login, and be able to just say out loud “Log Me In Now” and then it would know.
These are just a few obvious points. Everyone wants to come up with a better way to authenticate, with less hassle for the user and a better experience. That’s great, but sometimes we need to be cautious and stick with a slower approach to security. GreenRADIUS 2FA may not be sexy, but supporting YubiKeys, passwords and OATH in one simple package provides a lot of flexibility to move forward with higher security authentication in a save, private way.