SoundID: Securing Mobile Two-Factor Authentication via Acoustic Signals

Abstract

Mobile two-factor authentication (TFA), which uses mobile devices as a second security layer of protection to online accounts, has been widely applied with the proliferation of mobile phones. Currently, many studies propose to use acoustic fingerprints as the second factor. However, these solutions ignore the variations of the extracted static acoustic fingerprints incurred by the acoustic propagation process, which we show can be leveraged to develop an enhanced man-in-the-middle (MITM) attack to compromise the security strength of these systems, while hiding the traces of the attacking devices. To address this newly-uncovered vulnerability, we propose SoundID, a secure and novel authentication system that introduces a dual challenge-response design through the acoustic signals of the enrolled phone and the login device. Specifically, the enrolled phone first evaluates its proximity to the login device by the similarity of their audio recordings, and then the login authentication server compares the calculated dynamic acoustic fingerprint with the one received from the enrolled phone. To the best of our knowledge, SoundID is the first scheme that extracts dynamic acoustic fingerprints and can effectively defend against the enhanced MITM attack. SoundID combines the benefits of unpredictable influencing factors of acoustic propagation processes and the stable frequency response of the acoustic hardware, whose high complexity prevents attackers from predicting or impersonating them. We build a prototype of SoundID with off-the-shelf smartphones to validate its robustness and effectiveness. Our results show that SoundID is user-friendly and achieves over 96.62% accuracy with an equal error rate around 4.27%.