Stories
Slash Boxes
Comments

SoylentNews is people

posted by Cactus on Tuesday February 18 2014, @01:18AM   Printer-friendly
from the I-want-a-whistle-in-my-cereal dept.
Gaaark writes:

Google acquires SlickLogin: dogs go wild!

SlickLogin, an Israeli start-up, is behind the technology that allows websites to verify a user's identity by using sound waves. It works by playing a uniquely generated, nearly-silent sound through your computer speakers, which is picked up by an app on your smartphone. The app analyses the sound and sends a signal back to confirm your identity.

The firm confirmed the acquisition on its website but did not provide any financial details of the deal.

Too bad they don't still put whistles inside packages of Cap'n Crunch cereal!

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 1) by everdred on Tuesday February 18 2014, @01:29AM

    by everdred (110) on Tuesday February 18 2014, @01:29AM (#1261) Journal

    > but what's the point of the audio segment? Wouldn't it be better to, say, display a full screen QR code for the phone to read?

    For mobile devices without cameras? Do those still exist?

  • (Score: 1) by regift_of_the_gods on Tuesday February 18 2014, @01:50AM

    by regift_of_the_gods (138) on Tuesday February 18 2014, @01:50AM (#1276)

    Or send a string of five or six base64 characters to the phone screen that the user has to enter into the web site authentication dialog. Yeah, I'm not sure why the audio makes it stronger. Seems to be based on what you have - the phone running the SlickLogin app - with a weak second factor based on positional data.

    • (Score: 1) by tftp on Tuesday February 18 2014, @02:50AM

      by tftp (806) on Tuesday February 18 2014, @02:50AM (#1315) Homepage

      The authentication is *only* based on what you have because no action on your part is required. This is good for the Twitbook generation who cannot be bothered to enter passwords. However this is bad if you leave your phone at the desk and go to the bathroom because anyone can log in as you.

      I do not understand why the phone can even be that "something you have" - phones are not unique, and they are not tamper-proof. There are a few serial numbers in each phone, but you can always run the code in a VM (just as it runs on the phone itself) and fake those numbers.

      Yet another aspect is that phones have short life. Cellular providers push for a 2-year replacement plan to keep the users under the contract. However it would be impractical to update login information for all your sites, especially if the old phone is gone (and it is, since you move the service onto the new one.) Phones are often lost or damaged. I understand that all the entrepreneurs in the world, like this gang, are dreaming up the new ways of using the phone... but this auth method appears to be overly complicated. Sure, two factor and all that is good for you, but people who know about security will never trust this method, and people who don't want to know about security will use a password that reads as "password." In other words, nothing will change.

      • (Score: 1) by regift_of_the_gods on Tuesday February 18 2014, @03:29AM

        by regift_of_the_gods (138) on Tuesday February 18 2014, @03:29AM (#1356)

        I assumed the smartphone has a chip with a private key or some other secret that can securely identify itself to service providers when placing or accepting a call. That's what I meant. I don't know the details.

        • (Score: 1) by tftp on Tuesday February 18 2014, @04:22AM

          by tftp (806) on Tuesday February 18 2014, @04:22AM (#1393) Homepage

          I assumed the smartphone has a chip with a private key or some other secret that can securely identify itself to service providers when placing or accepting a call

          A phone (smart or not) does have such an ID. However, it is not tamper-proof, and it can be simulated. Besides, this ID is only available to the cellular provider; they need it to know what phones to service and what phones to reject. If a Java application on a smartphone opens a TCP connection to a 3rd party server, there will be no such information embedded. You only get the IP address. The HTTP request may contain some headers... but they are only what YOU send; and you can send whatever you want. In other words, your phone can only authenticate to the cellular provider, but not to 3rd parties. This is good because otherwise your phone can be uniquely identified and tracked by every web site in existence.

          In order to securely authenticate on application level the phone has to have some TPM hardware [trustedcom...ggroup.org]. I do not think that today's smartphones have TPM despite the obvious interests of TPM vendors. Eventually this may happen.