SlickLogin: Silent assassin of the alpha numeric password
Posted by: Jon Ben-Mayor on 09/11/2013 06:08 AM
[
Comments
]
Entering alpha numerical passwords is slowly looking like it will be phased out; with finger print and retina scanners replacing the old tried and true method of password input. More recently a slick little login tool from SlickLogin is looking to help put another nail silently in the alpha numerical coffin so to say.
Hereâs the idea: as a user, youâd go to whatever SlickLogin-enabled site youâd like to log in to. Tap the login button, hold your phone up close to the laptop, and youâre in. SlickLogin can be used either as a secondary verification layer to your existing credentials (think RSA keys or an SMS-based two factor system, without having to type any codes), or, if the service provider chooses, can forego username/password typing all together.
SlickLogin can use a bunch of protocols to start verifying your phoneâs position: WiFi, Bluetooth, NFC, visual markers like QR codes, and of course, GPS. Their self-dubbed âsecret sauceâ, though, is their use of uniquely generated sounds intentionally made inaudible to the human ear. Your computer plays the sound through its speakers, while an app on your smartphone uses the deviceâs built-in microphone to pick up the audio.
Once it processes the sound and identifies that itâs you (or at least, someone with your phone) standing in front of your computer, it sends the green light up to the server to let you log in. SlickLogin doesnât require your company to build a whole new mobile app; instead, you just add 5 lines of code to your existing app.
TechCrunch's Greg Kumparak spoke with SlickLoginâs founders for quite a while about security, and it seems like they have their bases covered â which makes sense, given that all 3 of the founders are graduates of the Israeli Defense Force unit that specializes in security.
Everything is very heavily encrypted, so man in the middle attacks are out. You canât record the audio signal and just play it back later, as the audio is uniquely tied to that moment. You canât just hold your phone up to someone elseâs audio signal (or grab it from across the room with a directional mic) in hopes of getting logged in to their account before they do; your phone wouldnât have their login credentials stored on it, and that crucial bit isnât wrapped into the sound. If anything, youâd just log them in to your own account.
And if someone steals your phone?
âIf they can get into your phone, they have access to your accounts already,â the founders responded.
Hereâs the idea: as a user, youâd go to whatever SlickLogin-enabled site youâd like to log in to. Tap the login button, hold your phone up close to the laptop, and youâre in. SlickLogin can be used either as a secondary verification layer to your existing credentials (think RSA keys or an SMS-based two factor system, without having to type any codes), or, if the service provider chooses, can forego username/password typing all together.
SlickLogin can use a bunch of protocols to start verifying your phoneâs position: WiFi, Bluetooth, NFC, visual markers like QR codes, and of course, GPS. Their self-dubbed âsecret sauceâ, though, is their use of uniquely generated sounds intentionally made inaudible to the human ear. Your computer plays the sound through its speakers, while an app on your smartphone uses the deviceâs built-in microphone to pick up the audio.
Once it processes the sound and identifies that itâs you (or at least, someone with your phone) standing in front of your computer, it sends the green light up to the server to let you log in. SlickLogin doesnât require your company to build a whole new mobile app; instead, you just add 5 lines of code to your existing app.
TechCrunch's Greg Kumparak spoke with SlickLoginâs founders for quite a while about security, and it seems like they have their bases covered â which makes sense, given that all 3 of the founders are graduates of the Israeli Defense Force unit that specializes in security.
Everything is very heavily encrypted, so man in the middle attacks are out. You canât record the audio signal and just play it back later, as the audio is uniquely tied to that moment. You canât just hold your phone up to someone elseâs audio signal (or grab it from across the room with a directional mic) in hopes of getting logged in to their account before they do; your phone wouldnât have their login credentials stored on it, and that crucial bit isnât wrapped into the sound. If anything, youâd just log them in to your own account.
And if someone steals your phone?
âIf they can get into your phone, they have access to your accounts already,â the founders responded.
Comments
