SlickLogin: Silent assassin of the alpha numeric password
Posted by: Jon Ben-Mayor on 09/11/2013 10:08 AM
[
Comments
]
Entering alpha numerical passwords is slowly looking like it will be phased out; with finger print and retina scanners replacing the old tried and true method of password input. More recently a slick little login tool from SlickLogin is looking to help put another nail silently in the alpha numerical coffin so to say.
Here’s the idea: as a user, you’d go to whatever SlickLogin-enabled site you’d like to log in to. Tap the login button, hold your phone up close to the laptop, and you’re in. SlickLogin can be used either as a secondary verification layer to your existing credentials (think RSA keys or an SMS-based two factor system, without having to type any codes), or, if the service provider chooses, can forego username/password typing all together.
SlickLogin can use a bunch of protocols to start verifying your phone’s position: WiFi, Bluetooth, NFC, visual markers like QR codes, and of course, GPS. Their self-dubbed “secret sauce”, though, is their use of uniquely generated sounds intentionally made inaudible to the human ear. Your computer plays the sound through its speakers, while an app on your smartphone uses the device’s built-in microphone to pick up the audio.
Once it processes the sound and identifies that it’s you (or at least, someone with your phone) standing in front of your computer, it sends the green light up to the server to let you log in. SlickLogin doesn’t require your company to build a whole new mobile app; instead, you just add 5 lines of code to your existing app.
TechCrunch's Greg Kumparak spoke with SlickLogin’s founders for quite a while about security, and it seems like they have their bases covered — which makes sense, given that all 3 of the founders are graduates of the Israeli Defense Force unit that specializes in security.
Everything is very heavily encrypted, so man in the middle attacks are out. You can’t record the audio signal and just play it back later, as the audio is uniquely tied to that moment. You can’t just hold your phone up to someone else’s audio signal (or grab it from across the room with a directional mic) in hopes of getting logged in to their account before they do; your phone wouldn’t have their login credentials stored on it, and that crucial bit isn’t wrapped into the sound. If anything, you’d just log them in to your own account.
And if someone steals your phone?
“If they can get into your phone, they have access to your accounts already,” the founders responded.
Here’s the idea: as a user, you’d go to whatever SlickLogin-enabled site you’d like to log in to. Tap the login button, hold your phone up close to the laptop, and you’re in. SlickLogin can be used either as a secondary verification layer to your existing credentials (think RSA keys or an SMS-based two factor system, without having to type any codes), or, if the service provider chooses, can forego username/password typing all together.
SlickLogin can use a bunch of protocols to start verifying your phone’s position: WiFi, Bluetooth, NFC, visual markers like QR codes, and of course, GPS. Their self-dubbed “secret sauce”, though, is their use of uniquely generated sounds intentionally made inaudible to the human ear. Your computer plays the sound through its speakers, while an app on your smartphone uses the device’s built-in microphone to pick up the audio.
Once it processes the sound and identifies that it’s you (or at least, someone with your phone) standing in front of your computer, it sends the green light up to the server to let you log in. SlickLogin doesn’t require your company to build a whole new mobile app; instead, you just add 5 lines of code to your existing app.
TechCrunch's Greg Kumparak spoke with SlickLogin’s founders for quite a while about security, and it seems like they have their bases covered — which makes sense, given that all 3 of the founders are graduates of the Israeli Defense Force unit that specializes in security.
Everything is very heavily encrypted, so man in the middle attacks are out. You can’t record the audio signal and just play it back later, as the audio is uniquely tied to that moment. You can’t just hold your phone up to someone else’s audio signal (or grab it from across the room with a directional mic) in hopes of getting logged in to their account before they do; your phone wouldn’t have their login credentials stored on it, and that crucial bit isn’t wrapped into the sound. If anything, you’d just log them in to your own account.
And if someone steals your phone?
“If they can get into your phone, they have access to your accounts already,” the founders responded.
Comments
