The August 2022 issue of IEEE Spectrum is here!

Close bar
Photograph of a computer next to a phone running Cyberus Labs' ELIoT PRO.
Photo: Cyberus Labs

Photograph of a computer next to a phone running Cyberus Labs' ELIoT PRO.Photo: Cyberus Labs

In the golden years before the dot-com crash of 2000, electrical engineer and serial entrepreneur Jack Wolosewicz kept asking people with so-called golden ears whether they could hear his latest creation: audio watermarks. The entertainment industry was all ears to his pitch—ensuring that DVD players or television broadcasters could play only licensed copies of digital files. But when the economy tanked, investors lost interest.

Two decades later, audio watermarks, which are inaudible even to trained audiophiles despite playing at frequencies humans can hear, are at the heart of a new bid to put traditional passwords to rest. That bid, by Wolosewicz’s latest company, Cyberus Labs, consists of using inaudible chirps of audio to establish two-factor authentication between devices without requiring users to enter a password or rely on biometric information such as fingerprints or facial recognition.

Cyberus Labs demonstrated its latest approach this week at MWC Barcelona (formerly called Mobile World Congress), the mobile industry’s largest annual trade show. The company is testing its first-generation systems with commercial partners under nondisclosure agreements, its founders said, and it has a public research and development partnership with Silesian University in Gliwice, Poland.

Passwords are such a pain that they lead to internecine warfare between government agencies over how often workers should change their passwords. The surprising answer, according to the U.S. National Institute for Standards and Technology (NIST) guidelines for civilian government agencies, is never.

Companies that want to offer customers a seamless experience might agree. Cyberus Labs got its start in 2016 by offering clients in the financial technology sector a password-free way to authenticate users. When a user identifies herself to, say, a bank, the bank would ping a Cyberus server, which would send one code to the bank log-in website in the user’s computer browser and another to the user’s mobile phone.

But instead of the user needing to type the code on the phone into the log-in page, one device chirps its audio watermark to the other. The watermark consists of a one-time code that contains an encrypted hash of the two device’s previous interactions. That makes it impossible for hackers to intercept the code from either device and use it to log in later because the system would have generated a brand new pair of codes in that time. “You’d need continuous access to the sequence of codes to defeat it,” Wolosewicz says.

The machine-to-machine aspect of the authentication also means that the codes can be very short-lived, on the order of milliseconds, which narrows the window of opportunity for an attack. A code sent by email or SMS and meant for users to click or type, on the other hand, must be valid for at least a few minutes to allow for network vagaries and human clumsiness.

Audio also has the advantage in that most devices these days are equipped with microphones and speakers. In fact, the Cyberus system would allow banks to offer secure log-ins over voice-activated devices such as Amazon’s Alexa-powered ecosystem. You’d never tell Alexa your password out loud (right?), but your mobile device and Alexa could chirp their inaudible handshakes to each other and nobody but you would be the wiser.

The other advantage of this approach to security is that, unlike an industry-standard 256-bit encryption, it requires very little computing power. Cyberus’s one-time codes are just 32 bits, making them easy to handle for the lowest-power processors at the edge of the Internet of Things, which is the focus of the company’s second-generation product.

The Conversation (0)

How the FCC Settles Radio-Spectrum Turf Wars

Remember the 5G-airport controversy? Here’s how such disputes play out

11 min read
This photo shows a man in the basket of a cherry picker working on an antenna as an airliner passes overhead.

The airline and cellular-phone industries have been at loggerheads over the possibility that 5G transmissions from antennas such as this one, located at Los Angeles International Airport, could interfere with the radar altimeters used in aircraft.

Patrick T. Fallon/AFP/Getty Images

You’ve no doubt seen the scary headlines: Will 5G Cause Planes to Crash? They appeared late last year, after the U.S. Federal Aviation Administration warned that new 5G services from AT&T and Verizon might interfere with the radar altimeters that airplane pilots rely on to land safely. Not true, said AT&T and Verizon, with the backing of the U.S. Federal Communications Commission, which had authorized 5G. The altimeters are safe, they maintained. Air travelers didn’t know what to believe.

Another recent FCC decision had also created a controversy about public safety: okaying Wi-Fi devices in a 6-gigahertz frequency band long used by point-to-point microwave systems to carry safety-critical data. The microwave operators predicted that the Wi-Fi devices would disrupt their systems; the Wi-Fi interests insisted they would not. (As an attorney, I represented a microwave-industry group in the ensuing legal dispute.)

Keep Reading ↓Show less