back to article Google slurps sound-powered security upstart SlickLogin

Google has bought five-month-old security startup SlickLogin, which specialises in sound-based authentication technology. Financial terms of the deal were kept secret. The Israel-based company, which was founded by three ex-Israeli-military security bods in 2013, announced that it had been scooped up by Google in a statement …

COMMENTS

This topic is closed for new posts.
  1. ratfox
    Happy

    Voice based authentication

    Or "how to make it impossible to log in while having a cold"

    1. DropBear
      Stop

      Re: Voice based authentication

      Not voice. SOUND. Your PC and mobile are supposed to chirp to each other in ultra-bat frequencies and it has nothing to do with your voice - but it's nigh impossible to get any details on how exactly that is supposed to work, and who get authenticated to who and by what exactly. I for one am not crazy about being logged into places by my phone being in the same place as my PC....

      1. big_D Silver badge

        Re: Voice based authentication

        The problem is, I don't tend to have my 27" AiO with me, when I'm out with the dog for a walk...

  2. Pete 2 Silver badge

    Typo?

    shouldn't that read: The tech is said to simplify be "overly complicated and annoying"

    Given that it requires a PC with speakers and the sound enabled (surely the very first thing users in offices do is rip out the speakers and/or disable all sounds). Plus a smartphone with it's microphone available to hear this (and presumably everything else that is within hearing distance - a built in bug? how marvelous) and without the sound being muffled by, say, a trouser/jacket pocket or handbag and the environment being sufficiently noise-free.

    I would expect that this technology is neither disability-friendly, universally applicable nor 100% reliable. So all systems where is is used will have to have passwords as a fallback (sorreeeee, I can't log in until my phone has recharged ... ooops, I can't use this app as I'm on the phone, whoops: I appear to have left my phone at home/in the car/on the bus). Added to which is the faff of having to dig out your phone every time you want to log in. So it will hardly ever be a person's first choice of authentication and will therefore very quickly be sidelined and then ignored.

    Hopefully Google bought the company as a public service and will now bury it to reduce the number of annoyances foisted on us in the name of technology.

    1. solo

      Re: Typo?

      Voice based features being sidelined? As the saying goes, if the service is free, you are the product..err.. BETA testers.

      So, after annoying us for billions of man days, one day they will come up with the polished one (if we remain in control).

  3. Anonymous Coward
    Anonymous Coward

    Bug number 2

    Aside from bug number 1 pointed out by Pete2 above ... what about bug number 2.

    Feedback loops .... you know ... that screeching sound you get when speakers are placed too close to microphones.

    1. Anonymous Coward
      Anonymous Coward

      Re: Bug number 2

      There's no feedback as the phone won't be making a noise, it just listens and sends some verification back to the site over the net (probably?).

  4. Andy Mc

    "Google was the first company to offer 2-step verification to everyone, for free"

    Err, really....?

    1. Anonymous Coward
      Anonymous Coward

      Re: "Google was the first company to offer 2-step verification to everyone, for free"

      "Andy Mc

      "Google was the first company to offer 2-step verification to everyone, for free"

      Err, really....?"

      Who beat them to it?

      1. Glyph

        WoW

        The first free 2-factor I remember noticing was WoW/battlenet's phone app. That was in 2008, I think google started in 2011.

      2. I Am Spartacus

        Re: "Google was the first company to offer 2-step verification to everyone, for free"

        Barclays Bank?

        1. Anonymous Coward
          Anonymous Coward

          Re: "Google was the first company to offer 2-step verification to everyone, for free"

          Barclays Bank did something for free?

          Surely someone would have been sacked for that.

  5. Andrew Jones 2

    See the video for more information.

    The register should really have linked to video Engadget posted to explain to commenters how this works: http://www.engadget.com/2014/02/16/google-acquires-slicklogin-sound-passwords/

    Now - as a 2Factor method - I think this is pretty exciting, note for those wondering about eavesdropping - apparently the phone has to be VERY close to the computer in order for this to work, and the system generates a ONE TIME key for each session - so someone recording the ultrasonic chirping and playing it back would get no-where because the authentication session will have already expired.

    My issues are: 1) They are talking about (and do demo in the linked Engadget article) replacing not just the 2Factor stage but the entire login process with this technology, meaning if your phone is lost / stolen - potentially whoever has it can login as you. and 2) The phone appears to be listening constantly as they claim it works without launching anything or even unlocking the phone.

    If it is used JUST to replace Stage 2 and I have to open an app on my phone first, I'd be much happier.

    1. Ken Y-N

      Without watching the video...

      ...I would bet that when you get to the PC login screen it sends an SMS/IM to your registered phone, which picks this up and switches on your microphone - it's not going to be constantly listening.

      Furthermore, it would make sense to also have a configuration option whereby you could also require your phone to be unlocked before the app activates.

    2. Ian Yates

      Re: See the video for more information.

      Except that it requires your computer to (a) have speakers and (b) have them turned on. Can't watch the video, so I can't tell if the app is then authenticating over the 'net or responding with a sound; hopefully the former or you'd need a microphone on the computer.

      It's an interesting tech, but I don't see how it's better (meaning more secure rather than cooler) than using a QR Code and holding the phone up to the screen.

  6. kmac499

    On the road to a perfect solution

    The general idea of using a phone as a token generator\verifier for two factor auth makes a degree of sense.

    But it does sound a bit like a poor mans NFC, or if it works it could prove to be the smart alternative to NFC.(place your bet now) Now if someone started making keyboards with NFC receivers in them for phone bumping and card payments then maybe we would have a better soution. Especially if the banks could get their act together and effectively put two cards in one piece of plastic.

    1) the traditional chip n pin for large payments

    2) a 'sub card' that used the wireless chip up to a max of whatever the card owner set a limit to be.

    One card to rule em'all ??

  7. Anon5000

    #BadBios

    Airgapped devices communicating is an extension of this technology which government spies appear to be using already. Being an IsraelI startup by ex-military personnel, one has to wonder if logins is the only feature they have been working on.

    1. Anonymous Coward
      Anonymous Coward

      Re: #BadBios

      I wouldn't read too much into the military bit. All Israelis have to do time in the defence force, so all software start-ups are run by ex-military. Well, unless they're kids.

  8. Anonymous Coward
    Anonymous Coward

    Because smart phones are such secure devices

    Now everyone and his dog can know your login credentials.

  9. T. F. M. Reader

    Similar approaches using light rather than sound have been in use for a while. You get a token - a little device the size of a credit card but thicker. It has a fingerprint reader and a tiny display for a few characters. You start an application, bringing up a window on your screen. A part of the window flashes a bright light. The flashing is coded. You hold your token card close to the flashing region, and it generates a one-time password based on your biometrics (fingerprint) and the flashed code. The card shows you the password and you type it in. The password is matched on the server side - it also has your fingerprint and knows the code.

    While it *is* a security device, there is another purpose. This is used in cases where you pay, say, a high monthly fee per seat for access to your "cloud" (for some definition of). Today, you no longer can tie the client to a particular HW or place. People upgrade, travel, work from home, coffee shops, airports, etc. So you've sold an expensive license to a customer. What prevents 2 or more customer's employees from sharing a login, even against the terms of the license? You can limit the number of concurrent sessions, but what if one user is in NY and another in Tokyo? They work different hours and won't interfere with each other. Thus, such a token is a revenue generator, probably more so than authenticator.

    Of course a crafty commentard can find a way around such an obstacle with today's technology. Say, the NY employee does not log off, and the guy in Tokyo accesses his computer with one of the multitude of tools and has full control. That's full control of the NY computer though, not of a single application.

  10. RyokuMas
    FAIL

    Errr...

    "... and they're working on some great ideas that will make the internet safer for everyone, while allowing them to further track, profile and spy on you."

    FTFY

  11. Dexter
    FAIL

    So now if someone steals your phone they can use it to log in securely to your laptop?

    Excellent.

    1. Anonymous Coward
      Anonymous Coward

      > So now if someone steals your phone they can use it to log in securely to your laptop?

      No.

  12. Anonymous Coward
    Anonymous Coward

    More data for google

    While the 2 factor stuff is useful I do have issues with giving companies my mobile phone details as well as everything else just to use their product. Noting that downloading an app effectively gives the app owner all your phone details.

This topic is closed for new posts.

Other stories you might like