SoundLogin - two-factor authentication. FAQ
info@cifrasoft.com
Language
Frequently Asked Questions
Why do I need SoundLogin?

To greatly simplify an inconvenient two-factor authentication procedure for your favorite on-line services. Our solution is especially helpful for services that require entering one-time passwords at every login session (e.g., Twitter, WordPress, Amazon Web Services, Rackspace, GitHub, etc.).

How are one-time passwords transferred from my mobile device to my browser?

One-time passwords generated by application or received via SMS are encoded and embedded into an audio notification signal, which is picked up by your desktop PC or notebook microphone. Internet connection is not needed.

What if someone records a notification sound from my mobile phone?

First of all, each one-time password is only valid for a short period of time (usually, about 30 seconds), so any hacker would have to use it within 30 seconds. Besides, a hacker would also have to know your main login and password. In addition, we offer OTP encryption (please enable it in your mobile app and extension settings), which makes acoustic signal recording absolutely useless for any alleged hacker.

Can an attacker record my sound signal, containing my OTP, if he/she is located in another room?

No. The acoustic signals travel only across short distances and do not transmit outside of your room environment, so it is inherently more secure than Bluetooth or WiFi radio.

But what if a hacker is in the same room as me?

If you are worried that you may be in the same room as an alleged hacker (who may also know your login/password), then you should take steps to enable an additional OTP encryption in your app and browser extension settings. After that, no one will be able to decrypt your one-time password.

I am still concerned that your application may send my passwords somewhere else.

Don't worry, we never send anything anywhere. Actually, for transferring one-time password from your mobile device to your desktop browser, we don't need an internet connection at all. You can check it by disabling the internet on your mobile device and even on your desktop PC. Your one-time password will be delivered anyway. Moreover, we don't use any mobile/web analytics software (such as Google Analytics, Flurry, or anything else) – not in our mobile apps, nor in our browser extensions! Therefore, we don't know anything about our user. That's why we need your explicit feedback to improve our solutions. So please give us your feedback. E-mail us at info@cifrasoft.com or use the feedback forms on our web-site.

Then why does your mobile application require "Internet access" permission?

The mobile application uses an internet connection only to synchronize an internal timer that is used for one-time password generation (as with Google Authenticator or other similar apps). Unfortunately, if we disable this function your OTP generator may de-synchronize and will generate incorrect one-time passwords.

But what if your application saves my one-time passwords and sends them later?

Firstly, one-time passwords are only valid for a short period of time – usually less than one minute – so they quickly become unusable. Secondly, our mobile application code is easy to analyze, so it is easy to see that it does not have any malicious code. The source code for browser extensions is readily available because it is essentially a JavaScript. Moreover, our extensions attained a code review in Chrome Web Store and Opera add-ons.

I still cannot install SoundLogin. What should I do?

Check the manual. If you still experience problems, please contact us at info@cifrasoft.com

How should I set up one-time password encryption?

It is easy. Check the manual here. Don't forget to use the same password in your mobile app and your browser extension.

I'm still undecided, what should I do?

Contact us at info@cifrasoft.com.