Spotify & Two Factor Authentication Based on Ambient Sound

UX  Case Study

‍

‍

Computer security is a hot topic. Modern societies are highly dependent on digital technology. It offers great benefits, convenience and connectivity. But this also makes us vulnerable — via unintended and intended (malicious) failures. Clearly, the bad guys have gone digital. Defence is typically more difficult than attack. (See The Internet of Things with all sorts of devices connected, monitored, poorly designed and not being maintained.)

In general, security is a question of three factors:

‍

• assets (valuables, datas, accounts, money)
• their controls, which make sure that good guys can access the assets, but not the bad guys
• implicitly, there is a malicious attacker that is trying to get unintended access

How is this all relevant to Spotify?

The Problem

Streaming services are in a huge risk of cyber attacks.

“Netflix and Spotify are most likely to be hacked.” (Forbes)

“The survey was carried out by cybersecurity company Dynarisk, which used data obtained from the dark web and hacker communities.

‍

‍

The firm outlines how this data is shared among criminal communities as they seek ways to abuse or monetise the stolen records. This data is often combined with other information in an attempt to form a picture of individuals for identity theft.

“Unfortunately, the ugly truth is that the more prolific a brand, the more attractive it is to cyber criminals,” DynaRisk said in a press release. “Hackers will target bigger brands to not only steal valuable information, but also to demonstrate their skills to peers within the criminal community.

“There are also monetary benefits; Netflix and Spotify are the perfect target for criminals who can resell stolen credentials to willing customers who want an account a fraction of the retail cost.”

How does Spotify currently protect the security of its customers?

One thing that the research founds is re-setting the passwords of the users’ accounts, which have actually been already breached. Such a lists are pending online — HaveIBeenPwned.com is one of the most useful sites on the internet. It gathers information on all the major data breaches and by inputting your email address you can check to see if your details have been included.

Spotify runs through those breached lists of datas and resets users’ passwords proactively. Just after that the user is informed via email.

The question is: Is there a safer and user-friendlier way to meet the current security standards? Is there a way to handle the control of Spotify account to the customer? The answer is simple: Yes, of course there is!

It’s been already a while since premium Spotify users demanded the Two Step Authentication from Spotify. This is not available. Yet.

In this case study we designed, prototyped and tested this basic security feature.

The Solution

Most security systems are comprised of two fundamental pillars:

Identification — claiming you are someone specific. This is analogous to entering an email or username.

Authentication — proving you are who you say you are. A common example of this is entering a password or scanning your fingerprint.

Two-step authentication is a method of confirming a user’s claimed identity by utilising something they know (password) and a second factor. An example of a second step is the user repeating back something that was sent to them through an out-of-band mechanism. Or, the second step might be a six digit number generated by an app that is common to the user and the authentication system.

After extensive research, we came with a new idea based on Study from Nikolaos Karapanos, Claudio Marforio, Claudio Soriente and Srdjan Capkun from Institute of Information Security ETH Zurich:

Usable Two Factor Authentication Based on Ambient Sound

This 2FA is based on two factors:

1. email & password
2. soundcheck (ambient sound)

Ambient sound is the sound that is surrounding us all the time. It can be music playing, people talking in the background , a dog barking, (or user clearing his throat for 2 seconds in the silent environment).

The proximity of the two devices is verified by comparing the ambient noise recorded by their microphones.

No extra interaction between the user and her phone is needed, because sound waves.

How exactly could this work? After setting up 2FA based on ambient sound in user’s trusted device, the login in to any NEW device can only be accessed after the second factor-the sound check. This means after both microphones (the one of trusted and new device) confirm their proximity.

Let’s take this step by step. First, let’s set up the 2FA based on ambient sound in the trusted mobile phone:

‍

‍

In the Settings, the new Security item takes us directly to screen with Two Factor Authentication, and simply confirming the microphone usage during the login in from new device, the device is ready. Toggle and the icon changes the colour into green to inform the user that the device is now protected by two factors.

Let’s have a look how does this second step of authentication look like on the new device. The new device could be a mobile phone, tablet or desktop.

‍

‍

At the first step user signs in as usual using his email and password. His previously setup mobile phone serves as the sound check device and its proximity to the new device is a guarantee for the successful login. Both microphones record exactly the same sound, in the same room and the same moment. After 5 seconds of recording the user is confirmed and lands automatically on his home screen.

Ambient sound 2FA is simple and does not require any extra tokens, authentication apps and text messages. It works even if the mobile phone is in user’s pocket. Therefore it feels like no extra mental load, but basically easy — just like one step authentication.

The attacker that knows the login details will not pass through the second factor — he can never know what is the ambient sound currently surrounding the user-possible victim.

The prototype was tested by users as well as security expert with excellent feedback.

Why is it better than existing solutions?

Text message — fully depends on the mobile operator’s operational security and can be easily breached by wiretapping or SIM cloning

Authentication applications — research confirmed that users don ‘t want to install additional applications into their phones. Another minus is, that all the tokens are stored at one place.

Biometrics — are not secret and they are permanent, irreplaceable and unlike traditional passwords are NOT revocable. Once a biometric attribute such as a face or a voice is compromised, it is compromised for the life of the person.

UX and security are two very specific topics. Users usually do not like extra cognitive load which comes with the security and two factor authentication. Therefore it is often avoided by users and more awareness and education can of course help. As great UX guru Jared M. Spool once said: “If it’s not usable, it’s not secure.”

We believe that Ambient sound two factor authentication could be an innovative way how to improve Spotify’s security and reputation.

Spotify classifies Two Factor Authentication idea currently as Under consideration. If you believe that Two factor authentication for Spotify is a good idea, vote here: https://community.spotify.com/t5/Live-Ideas/Security-2-Factor-Authentication/idi-p/1017889

‍

Read the whole article on Medium.

‍

‍