Project Background:
This was my senior capstone project at Boston University. There were five group members including myself. My specific contributions were building the React Native App, creating the Amazon Cloud Services backend, creating the final release on GitHub, and drafting the documentation for the client handover. This project won a Design Excellence award on ECE day 2020.
I would like to thank:
- my group members: Aixa, Andrea, Dennis, and Zami
- Professor Hirsch, Professor Osama, and Professor Pisano for guidance
- Our client: Cambridge Consultants
Problem Statement:
Less than 10% of Gmail users use two-factor authentication (2FA) when logging into work or even personal devices. Without multi-factor authentication user data is more at risk, but 2FA can be burdensome when needing to type codes and wait for SMS notifications.
Requirements:
- The app must be able to generate TOTP for authentication use of an at least 6-digit pin (20 bits).
- The server must be able to authenticate users using the broadcasted TOTP.
- The audio watermark must be robust to Doppler effect at the pace of a moving hand (slow movements) and is able to easily be picked up from a moving user by the server.
- The audio watermark must work when embedded inside another audio clip, which should be no longer than 5 seconds.
- The audio watermark should be relatively inaudible to the user, as close to ~20hz as possible.
- The audio watermark must be usable within a range of 30 cm or less.
- The audio watermark should be resistant to two jammers at a distance of 30cm from the receiver.
- The decrypted audio watermark should fall within 2% or less of the TOTP code for successful login.
Solution:
1. Use standard algorithm to generate one-time code
1.1 Implement TOTP to generate six-digit unique code that can then be used for the embedding and authentication processes.
2. Generate a unique “watermark” containing code and apply it to an audio sample
2.1 Use ultrasonic audio embedding techniques to hide audio data outside of the human hearing range. This will allow change to audio files without degradation of the original sound.
2.2 Use an approach that implements a kind of frequency shift keying (FSK) as opposed to amplitude shift keying (ASK)
2.3 Have the code be inaudible to the given user by imposing a relative scale from 1 to 5, 5 being the most noticeable. We will also ensure to embed the watermark at ~20hz, inaudible to humans.
3. Implement on smartphone app
3.1 Create a cross platform smartphone app (i.e. similar to the Google Authenticator app) that will allow users to relay watermarked data to the computer microphone.
3.2 Ensure that the application is simple to use; does not require complicated steps, and is unique to each user.
3.3 Keep the core encryption functions on an AWS backend and not on the app itself.
4. Web browser serving as a mock website sends mic audio to the server and performs authentication.
4.1 Ensure that the watermark extraction process is not susceptible to any hindrances that may affect the ability to retrieve the watermarked data (distance, volume, environmental noise, doppler effect, etc.).
4.2 Impose a cue sound within the watermark to trigger laptop recording.
4.3 Additionally, we will mock the mentioned testing environments by testing several different distances leading up to our quoted 30 cm functionality, different volumes from the application itself, varying levels of white noise in the background during authentication, and moving objects between our server and phone with application at the point of authentication.
What worked:
- Successful implementation of TOTP to generate a unique six-digit code that is stored in the database.
- Successful embedding the audio file with the code stored in the database as key.
- Successful extraction of code from the audio file using Python. The extracted code is stored in a field of the database called decoded.
- Streamlined use of a database.
- Web authentication app compares key and decoded and grants access if they match.