Reducing the level of user effort involved in traditional two-factor authentication (TFA) constitutes an important research topic. An interesting representative approach, Sound-Proof, leverages ambient sounds to detect the proximity between the second-factor device (phone) and the login terminal (browser), and it eliminates the need for the user to transfer PIN codes. In this article, we identify a weakness of the Sound-Proof system that makes it completely vulnerable to passive “environment guessing” and active “environment manipulating” remote attackers and proximity attackers. Addressing these security issues, we propose Listening-Watch, a new TFA mechanism based on a wearable device (watch/bracelet) and active browser-generated random speech sounds. As the user attempts to log in, the browser populates a short random code encoded into speech, and the login succeeds if the watch’s audio recording contains this code (decoded using speech recognition) and is similar enough to the browser’s audio recording. The remote attacker, who has guessed/manipulated the user’s environment, will be defeated, since authentication success relies upon the presence of the random code in watch’s recordings. The proximity attacker will also be defeated unless it is extremely close (<50 cm) to the watch, since the wearable microphones are usually designed to capture only nearby sounds (e.g., voice commands).

减少传统双因素身份验证（TFA）中涉及的用户工作量是一个重要的研究课题。一种有趣的代表性方法是Sound-Proof，它利用环境声音来检测第二因素设备（手机）和登录终端（浏览器）之间的接近程度，并且消除了用户传输 PIN 码的需要。在本文中，我们发现了隔音系统的一个弱点，使其完全容易受到被动“环境猜测”和主动“环境操纵”远程攻击者和邻近攻击者的攻击。为了解决这些安全问题，我们提出了Listening-Watch，这是一种基于可穿戴设备（手表/手环）和主动浏览器生成的随机语音的新 TFA 机制。当用户尝试登录时，浏览器会填充一个编码为语音的短随机代码，如果手表的录音包含此代码（使用语音识别进行解码）并且与浏览器的录音足够相似，则登录成功。猜测/操纵用户环境的远程攻击者将被击败，因为身份验证的成功取决于手表记录中随机代码的存在。除非距离手表非常近（<50 厘米），否则近距离攻击者也将被击败，因为可穿戴麦克风通常设计为仅捕获附近的声音（例如语音命令）。