|Dianqi Han||Arizona State University|
|Yimin Chen||Arizona State University|
|Tao Li||Arizona State University|
|Rui Zhang||University of Delaware|
|Yanchao Zhang||Arizona State University|
|Terri Hedgpeth||Arizona State University|
Current mobile two-factor authentication (2FA) solutions all require some form of user effort which may seriously affect the experience of mobile users. In this paper, the authors propose ProximityProof, a secure and usable mobile 2FA system without involving user interactions.
Mobile two-factor authentication (2FA) has become commonplace along with the popularity of mobile devices. Current mobile 2FA solutions all require some form of user efort which may seriously afect the experience of mobile users, especially senior citizens or those with disability such as visually impaired users. In this paper, we propose ProximityProof, a secure and usable mobile 2FA system without involving user interactions. Proximity-Proof automatically transmits a user's 2FA response via inaudible OFDM-modulated acoustic signals to the login browser. We propose a novel technique to extract individual speaker and microphone fingerprints of a mobile device to defend against the powerful man-in-the-middle (MiM) attack. In addition, ProximityProof explores two-way acoustic ranging to thwart the colocated attack. To the best of our knowledge, Proximity-Proof is the first mobile 2FA scheme resilient to the MiM and colocated attacks. We empirically analyze that Proximity-Proof is at least as secure as existing mobile 2FA solutions while being highly usable. We also prototype Proximity-Proof and confirm its high security, usability, and eficiency through comprehensive user experiments.