You are in a café. The coffee is good. You open your laptop, glance around briefly; a habit, an instinct; and then type your password. Login successful. You feel the small, familiar reassurance of the padlock icon. You are in.
A few tables away, someone’s phone is lying face-up on the table. Unremarkable. You would not give it a second thought. You did not give it a second thought.
But that phone was listening. Not to your conversation. To your keyboard.
And by the time you finished your coffee, a deep learning model had reconstructed every character you typed; with 95% accuracy.
The lock on the door was never the problem. The problem is that the key makes a sound. And we have built machines that know how to listen.
The Research That Should End the Password Debate
In August 2023, researchers from Durham University, the University of Surrey, and Royal Holloway University of London published a paper that deserves far more attention than it received outside security circles. Its title was precise and deliberately understated: “A Practical Deep Learning-Based Acoustic Side Channel Attack on Keyboards.”
What the team; Joshua Harrison, Ehsan Toreini, and Maryam Mehrnezhad; demonstrated was this. Using a smartphone microphone placed nearby, they recorded the sound of 36 keys on a MacBook Pro, each pressed 25 times. The recordings were processed using Fast Fourier Transform to isolate individual keystroke signatures. Then the data was used to train CoAtNet; a deep learning model that has demonstrated exceptional performance on image classification tasks; repurposed here to classify sound patterns rather than visual ones.
The result: 95% accuracy in identifying individual keystrokes from ambient sound. The highest recorded for this kind of attack without the use of a language model. And when the same technique was applied to keystrokes captured through a Zoom call; not a nearby phone, but a video conferencing session; the accuracy was 93%. A new benchmark for remote acoustic interception.
The attack requires no connectivity to your device. No access to your network. No malware. No phishing. Just a microphone within range. The kind of microphone that sits in every phone on every table in every café in every city in the world.
Side channel attacks; a category of attack that exploits signals emitted by a device rather than vulnerabilities in its software; have been known to security researchers for decades. What changed in 2023 was the combination of ubiquitous microphones, accessible deep learning tools, and the demonstrated accuracy that turns a theoretical threat into a practical one. The researchers did not need specialised equipment. They did not need physical access. They needed a phone and a machine learning model, both of which fit in a pocket.
The Scale of What We Are Defending With Passwords
Before we discuss the solution, it is worth sitting with the scale of the problem. Because the acoustic side channel attack is one vulnerability among many, and the pattern it reveals; that passwords are fundamentally unsuited to the threat environment we now inhabit; is confirmed by data from every direction.
In a single study analysing over 19 billion passwords leaked between 2024 and 2025, researchers found that 94% were reused or duplicated across multiple accounts. Not a minority of careless users. Ninety-four percent. Microsoft’s Digital Defense Report 2025 confirmed that more than 97% of all identity attacks are password attacks. More than 6 billion passwords were stolen by malware in 2025 alone, according to Specops; six times the figure from the previous year. The average price for a stolen credential on criminal markets in 2025 was ten dollars. For that investment, an attacker gains access to accounts that may have taken years to build.
And “123456” remains the world’s most popular password. It has held that position for the past seven years. A credential that can be cracked in under a second, chosen by more people than any other option available to them.
IBM’s research puts the average cost of a credential-related data breach at 4.67 million dollars, with a mean time to detect and contain of 246 days. By the time most organisations know they have been compromised, the breach has been operational for eight months. The attackers are not breaking in. They are logging in. With passwords that were stolen, guessed, or in the café scenario above, simply heard.
I have dream of a world without passwords, I shared my dream in a TEDx talk.
97% of identity attacks are password attacks. We have known for years that passwords are broken. We have chosen, collectively, to keep using them anyway.
The Threat Is Expanding, Not Contracting
The acoustic side channel attack is concerning not only for what it can do today, but for where it points. The researchers in the 2023 paper noted that acoustic interception can be extended beyond physical proximity; through any active microphone channel. A Zoom call. A Teams meeting. A phone call. A device with a compromised application that has been granted microphone access. The surfaces available for acoustic interception are everywhere because microphones are everywhere.
And the attack is not limited to keyboards. Any physical input mechanism that produces sound; touchscreens, PIN pads, ATM keypads; produces a signal that can, in principle, be learned and decoded. The more that AI models improve at audio classification, the richer the attack surface becomes.
There is a further dimension to this that I have written about in other contexts: the Internet of Thoughts. As brain-computer interface technology matures and neural sensing becomes embedded in consumer wearables, the signals available for side channel exploitation will include brain signals themselves. Thinking a password, in a world where EEG sensors are present, may not be materially more secure than typing one in a café. The attack surface of human cognition is the logical terminus of a trajectory that begins here, with keyboard acoustics, and extends wherever human intent is externally detectable.
But that future concern, urgent as it is, should not distract us from the present one. The acoustic side channel attack is practical, demonstrated, and available to anyone with a phone and time to read the paper. And the solution to it is not a more sophisticated password. The solution is to stop using passwords.
The Answer That Has Been There for Thirty Years
Here is the thing about passwords that rarely gets said directly: there is already a digital service that billions of people use dozens of times every day. A service so embedded in daily life that researchers have named the fear of losing access to it; nomophobia, the anxiety of being without your mobile phone.
Mobile telephony has never required a password. When you make a call, send a message, or access any service through your mobile device, you are not challenged to prove who you are with a secret. You are authenticated continuously and invisibly by the SIM; the Subscriber Identity Module; which has been doing this reliably since the first SIM-based mobile call was made in 1991.
The “I” in SIM stands for Identity. It has always stood for Identity. And the architecture that makes SIM-based authentication work is precisely what passwords have never managed to be: hardware-based, cryptographically secure, and entirely invisible to the user.
Inside every SIM; and its successor, the eSIM; is a unique cryptographic key. When a mobile network authenticates a subscriber, it does not ask them for a secret. It conducts a cryptographic challenge-response with the SIM directly. The key never leaves the hardware. It cannot be phished, because there is nothing to enter on a screen. It cannot be stolen by listening to keystrokes, because there are no keystrokes. It cannot be reused across accounts, because it is tied to one physical identity. It cannot be guessed, because it is not a word.
This architecture has authenticated billions of people across hundreds of mobile networks for more than three decades. It is not a new idea. It is a proven one that has been operating at civilisational scale while the rest of the digital world has been managing the fallout from passwords.
The Infrastructure Is Now Ready for the Digital Economy
What has changed; and this is the development that makes this moment genuinely important rather than merely historically interesting; is that the SIM’s authentication capability is now being exposed as a programmable network service.
The GSMA Open Gateway initiative, backed by mobile operators representing 65% of global mobile connections, is making network-level identity capabilities available as standardised APIs. Number Verify allows a service to silently confirm a user’s mobile number is active on their current SIM; without the user doing anything. SIM Swap detection allows a service to check whether a SIM associated with a mobile number has recently changed, flagging the most common vector for account takeover fraud. These capabilities, previously locked inside operator infrastructure, are becoming accessible to developers and enterprises building the next generation of digital services.
These are already available in many geographies, including United Kingdom, France, Netherlands. And also in India and in multiple countries in South East Asia. In Germany, Deutsche Telekom, O2 Telefónica, and Vodafone launched these APIs commercially through the GSMA Open Gateway in 2024. In the United States, AT&T, T-Mobile, and Verizon followed with standardised Number Verification and SIM Swap APIs.
The SIM has been solving the password problem since 1991. The question was never whether it works. The question was whether we would choose to use it.
Why This Is a Human Question, Not a Technical One
Everything I have described so far; the acoustic attack, the breach statistics, the SIM architecture, the Open Gateway APIs; is technical in nature. But the problem underneath all of it is not technical.
Passwords persist not because they are good, but because they are familiar. They are the mental model most people have for what authentication looks like. The username field and the password field are so deeply embedded in the experience of using the digital world that alternatives feel exotic even when they are demonstrably superior. The friction of change feels greater than the friction of the problem; right up until the moment the problem arrives personally, in the form of a compromised account, a fraudulent transaction, an identity stolen from a café where someone left their phone on the table.
What makes SIM-based authentication genuinely humanising; in a way that most security technology is not; is that it requires nothing from the user. No password to remember. No OTP to wait for. No biometric to enrol. No decision to make at the moment of authentication. The cryptographic handshake happens invisibly, between the network and the device, in the background of a login that feels effortless.
And crucially, the SIM is one of the most inclusive technologies in the world. It provides exactly the same level of cryptographic security on a twenty-dollar handset as on an eight-hundred-dollar flagship. The protection is not premium. It is universal. In a world where digital identity is increasingly the prerequisite for accessing healthcare, financial services, education, and civic participation, that universality is not a feature. It is a moral imperative.
The Café, Revisited
Return for a moment to the café. The phone on the table. The keyboard. The password typed in good faith by someone who took reasonable precautions; checked over their shoulder, kept their screen angled away, connected to a trusted network.
None of those precautions mattered. Because the attack did not need to see the screen. It only needed to hear the keys.
Now imagine the same person, the same café. But this time, there is no password field. Their identity is confirmed by the network, silently, through the SIM in the phone on the table; the phone that is their identity anchor, not their vulnerability. The attack has no surface. There is nothing to listen for. The credential does not exist in a form that can be acoustically reconstructed, phished, guessed, leaked, or sold for ten dollars on a criminal forum.
That is not a vision of a more secure future. That is a description of technology that has existed for thirty years, applied to a problem we have refused to solve.
The acoustic side channel attack is a provocation. Not because it is new; the theory has been understood for decades; but because the combination of ubiquitous microphones and accessible deep learning has made it practical in the present, not the future. It is a demonstration, built with off-the-shelf tools, that the password model is broken in ways that no complexity requirement or rotation policy can fix.
The answer is not a better password. The answer is the SIM. The answer has been the SIM since 1991. And every year we delay is another year of breaches, account takeovers, fraud, and identity theft that did not have to happen.
Let’s build a passwordless world. The infrastructure exists. The cryptography is proven. The scale is there. What remains is the decision to use what we already have.
