SoylentNews is people
SoylentNews is powered by your submissions, so send in your scoop. Only 15 submissions in the queue.
SoylentNews
Gaaark writes:
Google acquires SlickLogin: dogs go wild!
SlickLogin, an Israeli start-up, is behind the technology that allows websites to verify a user's identity by using sound waves. It works by playing a uniquely generated, nearly-silent sound through your computer speakers, which is picked up by an app on your smartphone. The app analyses the sound and sends a signal back to confirm your identity.
The firm confirmed the acquisition on its website but did not provide any financial details of the deal.
Too bad they don't still put whistles inside packages of Cap'n Crunch cereal!
This discussion has been archived.
No new comments can be posted.
Google Buys Sound Authentication Firm SlickLogin
|
Log In/Create an Account
| Top
| 42 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
* m2 stares at the monitor... it looks like a hamburger...
m2 - that's a bad sign
(Score: 5, Interesting) by tftp on Tuesday February 18 2014, @01:26AM
The SlickLogin's web site says nothing about the mechanics. I can imagine that the sound is a random challenge; the phone would decode it, encrypt with personal key, perhaps tied to the unique serial number of the phone, and send it to the site... but what's the point of the audio segment? Wouldn't it be better to, say, display a full screen QR code for the phone to read? How would you even identify the phone reliably, if the attacker can duplicate that number with ease?
I can also think of other issues with this scheme. Without knowing more, I wouldn't be too interested in this company.
(Score: 1) by everdred on Tuesday February 18 2014, @01:29AM
> but what's the point of the audio segment? Wouldn't it be better to, say, display a full screen QR code for the phone to read?
For mobile devices without cameras? Do those still exist?
(Score: 1) by regift_of_the_gods on Tuesday February 18 2014, @01:50AM
Or send a string of five or six base64 characters to the phone screen that the user has to enter into the web site authentication dialog. Yeah, I'm not sure why the audio makes it stronger. Seems to be based on what you have - the phone running the SlickLogin app - with a weak second factor based on positional data.
(Score: 1) by tftp on Tuesday February 18 2014, @02:50AM
The authentication is *only* based on what you have because no action on your part is required. This is good for the Twitbook generation who cannot be bothered to enter passwords. However this is bad if you leave your phone at the desk and go to the bathroom because anyone can log in as you.
I do not understand why the phone can even be that "something you have" - phones are not unique, and they are not tamper-proof. There are a few serial numbers in each phone, but you can always run the code in a VM (just as it runs on the phone itself) and fake those numbers.
Yet another aspect is that phones have short life. Cellular providers push for a 2-year replacement plan to keep the users under the contract. However it would be impractical to update login information for all your sites, especially if the old phone is gone (and it is, since you move the service onto the new one.) Phones are often lost or damaged. I understand that all the entrepreneurs in the world, like this gang, are dreaming up the new ways of using the phone... but this auth method appears to be overly complicated. Sure, two factor and all that is good for you, but people who know about security will never trust this method, and people who don't want to know about security will use a password that reads as "password." In other words, nothing will change.
(Score: 1) by regift_of_the_gods on Tuesday February 18 2014, @03:29AM
I assumed the smartphone has a chip with a private key or some other secret that can securely identify itself to service providers when placing or accepting a call. That's what I meant. I don't know the details.
(Score: 1) by tftp on Tuesday February 18 2014, @04:22AM
I assumed the smartphone has a chip with a private key or some other secret that can securely identify itself to service providers when placing or accepting a call
A phone (smart or not) does have such an ID. However, it is not tamper-proof, and it can be simulated. Besides, this ID is only available to the cellular provider; they need it to know what phones to service and what phones to reject. If a Java application on a smartphone opens a TCP connection to a 3rd party server, there will be no such information embedded. You only get the IP address. The HTTP request may contain some headers... but they are only what YOU send; and you can send whatever you want. In other words, your phone can only authenticate to the cellular provider, but not to 3rd parties. This is good because otherwise your phone can be uniquely identified and tracked by every web site in existence.
In order to securely authenticate on application level the phone has to have some TPM hardware [trustedcom...ggroup.org]. I do not think that today's smartphones have TPM despite the obvious interests of TPM vendors. Eventually this may happen.
(Score: 1) by siliconwafer on Tuesday February 18 2014, @01:33AM
How I would implement it: Computer sends a unique sequence of data at every login attempt as barely audible 60wpm morse code. Have the phone hash it using some salted key that is unique to the phone, and have the phone echo the hash back for matching purposes with whatever is in the database. Oh yeah, and ROT13 for good measure.
But a random sound? That's no fun. I want to pick a custom one, kind of like a ring-tone. And I request this one.
http://www.youtube.com/watch?v=qjPQYdTYmKM [youtube.com]
(Score: 3, Interesting) by Angry Jesus on Tuesday February 18 2014, @01:41AM
My guess is that they are "fingerprinting" the phone's microphone in order to make it into a unique token. Kind of like the way every camera lens uniquely distorts images so that if you know what the picture should look like you can figure out which camera took the picture by comparing the differences between original and photograph.
(Score: 1) by Nerdfest on Tuesday February 18 2014, @02:02AM
Probably not reliable enough and wouldn't work for people with multiple devices. Great idea if there's enough identifiable distinction though.
(Score: 4, Informative) by tftp on Tuesday February 18 2014, @02:04AM
My guess is that they are "fingerprinting" the phone's microphone in order to make it into a unique token.
Impossible for 3 reasons:
(Score: 2, Informative) by Angry Jesus on Tuesday February 18 2014, @02:55AM
1. Many phones may have the same characteristics of their microphones (they are repeatably made)
Manufacturing tolerances always vary, especially for consumer-grade equipment. The chance that someone trying to crack your account has the same set of variations is going to be small. This isn't the kind of thing that needs to be perfect, it just needs to be good enough, like the iphone's fingerprint sensor.
2. The phone's response is affected by the environment (echo, attenuation, external noises, holsters, bumpers, hands.)
Those are all of a completely different category of variations. Echo? That's time-domain, not even frequency domain.
3. The speakers that emit the sound are part of the deal... and you do not authenticate with them.
Doesn't matter, that's just noise to be filtered out. Sure, if the speakers are really bad, then it will be too noisy to work. But see the first point -- it just has to be good enough, not perfect.
(Score: 2, Informative) by tftp on Tuesday February 18 2014, @05:38AM
Manufacturing tolerances always vary, especially for consumer-grade equipment.
It takes pretty good test equipment (Rohde & Shwartz) and an anechoic chamber to decently characterize a microphone. I made some measurements in such a lab in university. I cannot imagine what can you measure in open air, using random sources that are "barely audible" and in presence of stray signals.
Echo? That's time-domain, not even frequency domain.
Praise Fourier that they are not two interchangeable representations of the same physical process :-) In this case the echo will add another component, with the same frequency and a different phase. These components will add up, changing the amplitude of the resulting response... but since this is frequency-dependent (the delay is a fixed time,) the frequency response gets peaks and valleys. That's how those loudspeakers' enclosures shape the frequency response - by using boundary conditions.
Doesn't matter, that's just noise to be filtered out.
The frequency response of the system is mic(f) * speakers(f). If speakers change, the response changes as well. Since speakers and microphones are horribly nonlinear, harmonic content will be also severely affected by different speakers.
(Score: 1) by Angry Jesus on Tuesday February 18 2014, @06:08AM
It takes pretty good test equipment (Rohde & Shwartz) and an anechoic chamber to decently characterize a microphone.
You are thinking about it completely in reverse - this isn't about minimizing distortion, it is simply about distinguishing between different units. Similar to the way that forensic DNA matching only looks at 10-12 markers when that is a tiny fraction necessary to describe a human.
The frequency response of the system is mic(f) * speakers(f). If speakers change, the response changes as well
That's far too simplistic. Off the top of my head I can think of at least one method that isn't affected so straight-forwardly - measuring harmonic response ratios. Even if the speakers' output levels vary at a specific frequency, the microphone will have its own set of harmonics in relation to the generated tones. The speaker will have its own harmonics too, but all that extra noise won't matter because we are only looking for the harmonic signature of the microphone. I'm sure there are other relationships that could be profiled if someone were to spend more than 30 seconds thinking about it.
(Score: 1) by edIII on Tuesday February 18 2014, @10:19PM
It's a novel form of out-of-band key exchange.
In of itself, it does not seem to be anything special, or tremendously difficult to hack. It just sounds like a really cool idea, and sometimes it really is just the story, or form over function.
However, it does seem that you would need to attack multiple networks simultaneously. That raises the bar somewhat, but nothing that would seem to frustrate the NSA too much. I've bet they seen much harder nuts to crack in the TAO. .... That being said though, how many smartphones suffer from malware and their own dedicated industry providing smartphone malware tools?
Technically, lunchtime is at any moment. It's just a wave function.