A team of security researchers recently turned an innovative new attack on its head and used it to pioneer a new form of two-factor authentication that could make the service more accessible for people with disabilities and easier for average users. We spoke with Yossi Oren, Senior Lecturer at Ben-Gurion University of the Negev, about the breakthrough.
You can watch the video interview above or read the transcript below.
Oren said, "People already know that passwords are not a good way to protect your accounts, [because] when somebody steals your password you're gone for. So people are starting to use what's called two-factor authentication, which is something you know and something you have. You type in your password and then you have to type in an extra code, which used to be sent over text message, but there's now something very terrible called SIM jacking, which means you have to find another way to get these digits to you. But the idea is that you go to a website, you go to a service, and you have to recall your password, and then you have this device which has six digits on it. You have to look at these digits, memorize them, and then put them into your phone or to your computer to log in.
"And the problem is that this process of looking at these digits, memorizing them, and typing them in, which sounds so very simple, is not so simple if you are a disabled user. Some people don't have the vision required to see these digits. Some people don't have the ability to memorize six digits for the 30 seconds it takes to copy them from one device to the other. And some people don't have the fine motor skills required to log in, to punch in these digits. How do we let these people use two-factor authentication with dignity and with privacy?"
SEE: Security awareness and training policy (Tech Pro Research)
Oren continued, "What we did is we found a way to send this two-factor authentication code using ultrasonic vibrations. It's something we discovered as part of an attack. What basically you do to log in, you take a device, which we are prototyping right now, which is going to be the size of the coin. It's now at the size of a soap bar, but we're working on shrinking it. You take it to your phone, and just touch them together. Three seconds, that's all it takes for this token to pass from this device to your phone.
"And what's nice is the method we're using, ultrasonic vibrations, works on phones you have today, on laptops, on tablets you have today. You don't have to buy new hardware, you don't have to install new software, you don't have to get new permissions for your website or whatever. So any website, any app which uses two-factor authentication can use this to allow disabled users to log in with dignity and privacy."
He said, "In 2015 a group of researchers in the Korean Military Academy discovered that if you play sound at a very specific frequency to drones they start rocking and falling out of the sky. And what happens is that there's a sensor in the drones called a gyroscope, which kind of goes crazy when you play ultrasonic vibrations to this device. And we were thinking how could we use this constructively, because these gyroscopes are not only on drones, but they're on all of our phones. We use it to shake our phones to win a prize [in some games], or whatever.
"So we miniaturized this ultrasonic emitter. We found an emitter which is very small, very low powered. We found the place on the phone where the gyroscope is located. When you touch them together, when we turn on this ultrasonic vibration, the phone gyroscope goes crazy. We turn it off, it relaxes. We can turn it off and turn it on hundreds of times per second, and the phone actually receives these vibrations and turns them into a signal. The signal is the two-factor authentication."
- Cybersecurity in an IoT and mobile world (ZDNet/TechRepublic special report) Download as a PDF (free registration required)
- Cheat sheet: Two-factor authentication (TechRepublic)
- How to get users on board with two-factor authentication (TechRepublic)
- Passwords are not enough: How to turn on two-factor authentication (ZDNet)
- How to turn your watch, shoes, or household junk into a password (ZDNet)
Jason Hiner has nothing to disclose. He doesn't hold investments in the technology companies he covers.
Jason Hiner is Global Editor in Chief of TechRepublic and Global Long Form Editor of ZDNet. He's co-author of the book, Follow the Geeks.