Authentication & Security

Sound May Replace OTP as Second Factor of Authentication

Two-factor authentication (2FA), though not cool, is essential. 2FA protects online accounts from data theft even if the user ID and password are compromised. At present, the second factor of authentication is by and large an OTP (one time password) which the customer gets on his mobile phone either in the form of an email, SMS, or a phone call. Furthermore, these passwords are time bound and, in most cases, are valid for 30 seconds or lower. As a result, most online users still prefer password-only authentication (single-factor authentication) primarily because using 2FA is annoying and requires communication between the user/customer and his phone.

Wouldn’t it be great if we have the two-factor authentication in place, but all of it automated with no/little human intervention? That is exactly what a group of researchers from Swiss Federal Institute of Technology in Zurich, Switzerland have been working to solve. They have come up with a concept known as “Sound-Proof.”

Using Sound-Proof, a user does not require interacting with his phone. In the mechanism, the proximity of the user’s phone is used as the second factor of authentication.  The verification happens by comparing the ambient noise recorded by microphones. The user experience, in this case, is similar to the password-only form of authentication. Researchers currently have built a prototype for both Android and iOS. They have also observed that noise is a robust mechanism to determine the proximity of two devices both indoors and outdoors.

How does Sound-Proof work?

Step 1 (once per website): Set up the phone to enable Sound-Proof and follow the instructions on a Sound-Proof-enabled website to set it up with the smartphone.

Step 2: Login with username and password. The user can keep his phone in his pocket, in the purse, or on the table. Of course, it works in many other places as long as it is close to the user.

Step 3: The phone and PC will automatically record ambient sound for a very short time (~3 seconds). The recordings are compared by the phone. If the recordings match, then the user is logged in.

The “Sound-Proof” system will upload and verify the digital signatures of the sound, as opposed to the actual recording. Hence, privacy is not compromised. However, there seems to be one downside to this solution as it may not work so well with customers using desktops (desktops do not have an in-built microphone). At present, “Sound-Proof” remains a research project. The team is hopeful that it will be able to turn the innovation into a tech startup at some point in the future.


Kate is a staff writer at, , She likes to write about mobile payments and mobile commerce.

Apply to Become a Contributor