Forget Passwords—Audio Watermarks Could Be Easier to Use and More Secure

The sound of security may be the sound of…silence

3 min read
Photograph of a computer next to a phone running Cyberus Labs' ELIoT PRO.
Photo: Cyberus Labs

Photograph of a computer next to a phone running Cyberus Labs' ELIoT PRO.Photo: Cyberus Labs

In the golden years before the dot-com crash of 2000, electrical engineer and serial entrepreneur Jack Wolosewicz kept asking people with so-called golden ears whether they could hear his latest creation: audio watermarks. The entertainment industry was all ears to his pitch—ensuring that DVD players or television broadcasters could play only licensed copies of digital files. But when the economy tanked, investors lost interest.

Two decades later, audio watermarks, which are inaudible even to trained audiophiles despite playing at frequencies humans can hear, are at the heart of a new bid to put traditional passwords to rest. That bid, by Wolosewicz’s latest company, Cyberus Labs, consists of using inaudible chirps of audio to establish two-factor authentication between devices without requiring users to enter a password or rely on biometric information such as fingerprints or facial recognition.

Cyberus Labs demonstrated its latest approach this week at MWC Barcelona (formerly called Mobile World Congress), the mobile industry’s largest annual trade show. The company is testing its first-generation systems with commercial partners under nondisclosure agreements, its founders said, and it has a public research and development partnership with Silesian University in Gliwice, Poland.

Passwords are such a pain that they lead to internecine warfare between government agencies over how often workers should change their passwords. The surprising answer, according to the U.S. National Institute for Standards and Technology (NIST) guidelines for civilian government agencies, is never.

Companies that want to offer customers a seamless experience might agree. Cyberus Labs got its start in 2016 by offering clients in the financial technology sector a password-free way to authenticate users. When a user identifies herself to, say, a bank, the bank would ping a Cyberus server, which would send one code to the bank log-in website in the user’s computer browser and another to the user’s mobile phone.

But instead of the user needing to type the code on the phone into the log-in page, one device chirps its audio watermark to the other. The watermark consists of a one-time code that contains an encrypted hash of the two device’s previous interactions. That makes it impossible for hackers to intercept the code from either device and use it to log in later because the system would have generated a brand new pair of codes in that time. “You’d need continuous access to the sequence of codes to defeat it,” Wolosewicz says.

The machine-to-machine aspect of the authentication also means that the codes can be very short-lived, on the order of milliseconds, which narrows the window of opportunity for an attack. A code sent by email or SMS and meant for users to click or type, on the other hand, must be valid for at least a few minutes to allow for network vagaries and human clumsiness.

Audio also has the advantage in that most devices these days are equipped with microphones and speakers. In fact, the Cyberus system would allow banks to offer secure log-ins over voice-activated devices such as Amazon’s Alexa-powered ecosystem. You’d never tell Alexa your password out loud (right?), but your mobile device and Alexa could chirp their inaudible handshakes to each other and nobody but you would be the wiser.

The other advantage of this approach to security is that, unlike an industry-standard 256-bit encryption, it requires very little computing power. Cyberus’s one-time codes are just 32 bits, making them easy to handle for the lowest-power processors at the edge of the Internet of Things, which is the focus of the company’s second-generation product.

The Conversation (0)

How Police Exploited the Capitol Riot’s Digital Records

Forensic technology is powerful, but is it worth the privacy trade-offs?

11 min read
 Illustration of the silhouette of a person with upraised arm holding a cellphone in front of the U.S. Capitol building. Superimposed on the head is a green matrix, which represents data points used for facial recognition
Gabriel Zimmer

The group of well-dressed young men who gathered on the outskirts of Baltimore on the night of 5 January 2021 hardly looked like extremists. But the next day, prosecutors allege, they would all breach the United States Capitol during the deadly insurrection. Several would loot and destroy media equipment, and one would assault a policeman.

No strangers to protest, the men, members of the America First movement, diligently donned masks to obscure their faces. None boasted of their exploits on social media, and none of their friends or family would come forward to denounce them. But on 5 January, they made one piping hot, family-size mistake: They shared a pizza.

Keep Reading ↓Show less