Google’s new web logins save us remembering passwords
One day soon(ish), if Google has its way, you’ll log into web sites by holding your phone up to you computer and have them whisper sweet nothings into each others ears.
No more user names or passwords to remember. Just your phone.
Google has just acquired SlickLogin, an Israeli startup that has been working on technology that would use a smartphone as a security token at online banks, or any other web sites that want decent internet security.
A lot of banks already use mobile phones as the second factor in two-factor authentication, as you would know. Once you login, the banks will SMS you a code if you want to proceed with a novel transaction, and you have to type the code into the web site to prove you are in possession of the phone linked to the account.
But the SlickLogin technology is quite different. It’s not for authorising a transaction, but for logging into the site in the first place. (Though one imagines it could also work for authorising transactions, too.)
SlickLogin has never released this technology, but apparently it works something like this:
When you go to log into a web site, the site will play barely audible, high-frequency sound through your PC’s speakers. Your phone, held up to the PC, hears the sound, decodes it, and encodes its own response sound, which it plays back to the website through the PC’s microphone.
It’s your basic challenge-response security arrangement, proving to the website that you are in possession of a phone linked to an account. The website would then log you into that account, without you ever entering in a user name or a password.
One imagines that the SlickLogin app on the phone would itself be locked with a password, and you would have remember that one password, making it a little like LastPass and other password managers that let you store multiple, impossible-to-remember passwords in a single vault, all secured by the one password.
The advantage of the SlickLogin system over LastPass etc, one imagines, is that you would get two-factor authentication every time you visit a secure site: you would need to be possession of the phone itself, and you would need the password to unlock the app on the phone.
“you’ll log into web sites by holding your phone up to you computer”
so if you stole someones phone and got the initial password..mmm..
oh its israeli software..any backdoors?