In the golden years before the dot-com crash of 2000, electrical engineer and serial entrepreneur Jack Wolosewicz kept asking people with so-called golden ears whether they could hear his latest creation: audio watermarks. The entertainment industry was all ears to his pitch—ensuring that DVD players or television broadcasters could play only licensed copies of digital files. But when the economy tanked, investors lost interest.
Two decades later, audio watermarks, which are inaudible even to trained audiophiles despite playing at frequencies humans can hear, are at the heart of a new bid to put traditional passwords to rest. That bid, by Wolosewicz’s latest company, Cyberus Labs, consists of using inaudible chirps of audio to establish two-factor authentication between devices without requiring users to enter a password or rely on biometric information such as fingerprints or facial recognition.
Cyberus Labs demonstrated its latest approach this week at MWC Barcelona (formerly called Mobile World Congress), the mobile industry’s largest annual trade show. The company is testing its first-generation systems with commercial partners under nondisclosure agreements, its founders said, and it has a public research and development partnership with Silesian University in Gliwice, Poland.
Passwords are such a pain that they lead to internecine warfare between government agencies over how often workers should change their passwords. The surprising answer, according to the U.S. National Institute for Standards and Technology (NIST) guidelines for civilian government agencies, is never.
Companies that want to offer customers a seamless experience might agree. Cyberus Labs got its start in 2016 by offering clients in the financial technology sector a password-free way to authenticate users. When a user identifies herself to, say, a bank, the bank would ping a Cyberus server, which would send one code to the bank log-in website in the user’s computer browser and another to the user’s mobile phone.
But instead of the user needing to type the code on the phone into the log-in page, one device chirps its audio watermark to the other. The watermark consists of a one-time code that contains an encrypted hash of the two device’s previous interactions. That makes it impossible for hackers to intercept the code from either device and use it to log in later because the system would have generated a brand new pair of codes in that time. “You’d need continuous access to the sequence of codes to defeat it,” Wolosewicz says.
The machine-to-machine aspect of the authentication also means that the codes can be very short-lived, on the order of milliseconds, which narrows the window of opportunity for an attack. A code sent by email or SMS and meant for users to click or type, on the other hand, must be valid for at least a few minutes to allow for network vagaries and human clumsiness.
Audio also has the advantage in that most devices these days are equipped with microphones and speakers. In fact, the Cyberus system would allow banks to offer secure log-ins over voice-activated devices such as Amazon’s Alexa-powered ecosystem. You’d never tell Alexa your password out loud (right?), but your mobile device and Alexa could chirp their inaudible handshakes to each other and nobody but you would be the wiser.
The other advantage of this approach to security is that, unlike an industry-standard 256-bit encryption, it requires very little computing power. Cyberus’s one-time codes are just 32 bits, making them easy to handle for the lowest-power processors at the edge of the Internet of Things, which is the focus of the company’s second-generation product.