Google’s New Login Is ‘Slick,’ But Will It Fly in the Enterprise?
March 4, 2014 Alex Woodie
Google last month acquired SlickLogin, an Israeli security startup that developed an innovative login process that authenticates individuals by using a smartphone to capture sound waves generated by a requesting app. The technology has the potential to eliminate reliance on passwords, which everybody can agree is a good thing. But is the technology ready for primetime? Security expert Patrick Townsend chimes in.
SlickLogin debuted just six months ago at the TechCrunch Disrupt event in San Francisco. Evidentially, the technology (born of the Israeli Defense Force’s elite cyber security unit) made such an impact on the Google folks down the road in Mountain View that they nabbed it up, quick like.
Terms of the deal were not disclosed, and nobody knows whether Google plans to keep the technology to authenticate access to its own products or whether a more generalized service is in the works–possibly by melding the technology with its existing Google Authenticator service, which relies on one-time passcodes generated for smartphones. But the SlickLogin acquisition certainly raises some interesting possibilities, particularly as the field of two-factor authentication (2FA) begins to take on new urgency in the wake of the huge Target credit card breach that affected 110 million customers.
SlickLogin’s technology is another take on 2FA or multi-factor authentication, which requires a user to prove he or she either has something specific (a certain smartphone or fingerprint) or knows something specific (a passcode or your mother’s maiden name), before being granted access to a protected website or service. In SlickLogin’s case, the authentication mechanism is tied to the user’s smartphone.
Here are the slick technical details: Upon requesting access to a SlickLogin-protected application, such as a website, the application uses the computer’s speakers to emit a uniquely generated sound that is nearly undetectable to humans. The user holds his smartphone up to the speakers (or anywhere in the vicinity), the microphone on the smartphone picks up the sound, and a SlickLogin app on the smartphone sends the signal back to the SlickLogin-protected website. If the sound signals match, the user is granted access. If not, he or she is denied.
In practice, the SlickLogin process should work without much input from users. They don’t have to type in one-time passcodes, as used with Google Authenticator and numerous other 2FA products services, such as the passcode-generating key fobs used in RSA‘s SecurID offering or the one-time passcodes that Townsend Security‘s new Alliance Two Factor Authentication uses.
Patrick Townsend, the founder and CTO of Townsend Security, isn’t sure that relying on sound waves has passed muster as the means for an enterprise security mechanism. “We certainly agree that passwords are no longer sufficient for authentication, and there is wide acknowledgement of this in the security community,” Townsend tells IT Jungle via email. “There is a lot of work now on how to add another factor to the authentication process.”
Townsend’s new Alliance Two Factor Authentication, which was launched in January, is a native IBM i program that implements 2FA as a means for protecting access to IBM i applications. The product requires users to correctly enter the one-time passcodes that they are sent, either through SMS text messaging on a smartphone or by automated telephone call. It’s not the only 2FA product for IBM i–Valid Technologies has developed a product that uses fingerprint scanning as a means to achieve 2FA, and there are implementations of RSA’s SecurID key-fob approach in the IBM i world. But Townsend’s Alliance product, starting at $10,000, could be the first 2FA app to gain mainstream adoption in the IBM i world.
“There are some well-known technologies based on fingerprint and iris scanning, one-time tokens, and mobile and voice delivery of one-time PIN codes,” Townsend continues. “It remains to be seen if [soundwave-based] recognition can meet the minimum requirements for authentication. I suspect there are many challenges to overcome before the technology reaches wide acceptance. In the meantime organizations will most likely rely on proven technologies.”