printer friendly version

The future of authentication

We are very pleased to see that Google is expanding its search for better authentication techniques to passwords beyond OATH with the acquisition of SlickLogin announced recently. (SlickLogin uses sound waves as a security layer for two-factor authentication.)

SlickLogin focuses on a very important piece of the authentication puzzle – ease and simplicity for the user. The idea of just placing your phone near your laptop to logon sounds cool and simple. As it is based on sound waves it doesn’t need specialised hardware such as Bluetooth or RFID which are typical for these kinds of system.

There are other solutions on the market which also make use of simple ways to connect the PC and phone for authentication for example a QR code via the camera; as such this is not a new scenario, just a new medium to communicate over. The day-to-day practicalities are yet to be seen though, e.g., what if my PC is set to use my Bluetooth headphones for sound instead of my speakers?

As the app needs to listen for sound, it either needs to be running all the time which would use up battery power, or you would have to start it up when you want to use it which is no different from other smartphone app-based systems. In addition it requires data connectivity to verify the login – as such it could be argued that a totally out of band data driven app which uses a toast popup with an OK button would be easier and more secure, or at least more reliable and consistent.

However, back to the password problem. SlickLogin claims it can augment or replace a password. If you are just adding a token to a password then, from a security point of view, it is no more secure than OATH, since every time you logon with a password or PIN you give away your secret. If you used SlickLogin to replace a password completely you would only need to put your phone near your PC to logon, which would seem very slick and simple indeed, but that is only one-factor authentication. Worse still, if somebody left their phone on their desk to pop out for a coffee. That’s a very easy hack.

While this acquisition has indeed made headlines and reminds us that we need to move beyond passwords, we will wait and see what realistic scenarios Google can make the technology work in securely.”

Steven Hope will be talking in more depth about the need to reinvent authentication at Infosec Europe in April: http://www.infosec.co.uk/en/Sessions/4669/Why-we-need-to-put-secrecy-back-into-security-The-reinvention-of-Authentication

Share this article:

Further reading: