
Show HN: SoundLogin – two-factor authentication via sound notifications - cifrasoft
https://www.soundlogin.com/
======
digital_ins
Constructive criticism: A better soundtrack / voiceover is key. This one had
too many things going on 2\. You need to explain how the sound thing works. Is
it frequency or amplitude based? (would help me understand what environment it
would and would not work in) 3\. I tried a demo and it sent the test code but
showed me a different number on the screen.

~~~
cifrasoft
Thank you for feedback! 1) Yes, we are planning to add more sounds. We have 5
different melodies for now (in Settings), but we'll try to add more and also
add an option for custom soundtrack as well. 2) The sound technology is sort
of acoustic watermarking. It is based on multicarrier spread spectrum and it
uses simple masking mechanism to hide behind host audio signal. It should be
quite robust in various noise scenarios and multipath propagation (although
every system has limitations) 3) Did you enable 'encryption' in settings? For
web-test do not turn on 'encryption' in app settings. If you enable encryption
the decoder shall detect wrong sequence (even if your password is blank). We
use it to protect our acoustic channel. If an adversary will try to intercept
your 'encrypted' acoustic signal he/she will not be able to decipher it and
even know if the encryption is enabled or disabled. On the other hand,
SoundLogin has internal error check mechanism - probability that the decoder
will come up with wrong number because of channel noise is less than 10^-10.

~~~
digital_ins
Yes! I was using it with encryption on. I was playing around with it a little
bit.

The digital acoustic watermarking idea is awesome. Rather than have a weird
buzzing noise, overlaying digital information over these codes is great.

If you've got enough traction, you should get a US corp built, because this is
a trust-based product (right?). Having an OOO company is a little scary for US
users.

~~~
cifrasoft
Thank you, digital_ins. Yes, I know it's scary. If we get some traction -
we'll probably convert the SoundLogin project to open-source. We are already
talking with potential backers. I think open-source is the best route for
trust-based product.

------
volaski
Can someone help me understand the benefit? Maybe I'm missing something. When
the video says currently "Authenticating with OTP is not really easy", is it
saying that typing 4~6 numbers is not easy?

~~~
cifrasoft
Benefit is convenience. 2FA requires you to enter 6-8 digits (4 is not
secure). If you have to do it every time you login to your account (e.g. AWS,
Github, Twitter). It may be really annoying. So, we try to improve 2FA
usability.

------
andmarios
Although not so fancy, I use KDEconnect's clipboard sync for the same task.

I copy the verification code on my mobile (all otp apps do it automatically)
and paste on the computer.

------
pjdkoch
If you can both read and write text fields, how do I know you're not stealing
my passwords?

Also, why not a javascript bookmarklet?

~~~
cifrasoft
For now, we have to rely on browser extensions (maybe in the future some
services will integrate our scripts directly on login pages). Browser
extensions are in JavaScript. The code is available to everyone for review. To
reduce concerns we do not use any analytics or tracking code in browser
extensions or mobile apps. Thanks for the tip on bookmarklets, we'll check if
it is technically feasible.

