Israeli start-up SlickLogin has developed sound-based technology that allows a user to log in to a secure Web site by holding a smartphone up to a speaker to process an inaudible sound. That
-targeted sound authentication is now part of Google, following news the technology giant has purchased the firm for an undisclosed amount.
SlickLogin's innovative technology enables a site or other provider to generate a high-pitched sound that is unique to the user and the log-in session. The SlickLogin smartphone app analyzes the sound, and, if everything checks out, then transmits a message to the authorizing server to allow log-in. The uniqueness of the signal is intended to ensure that the same sound cannot be used for another session, and it is time-based so that its utility has a temporal limit. A nearby smartphone or other sound pickup device that tries to grab the sound when it was played would not have the required log-in credentials.
In an announcement on its Web site, SlickLogin said Google "shares our core beliefs that logging in should be easy instead of frustrating, and authentication should be effective without getting in the way." It added that Google was "the first company to offer 2-step verification to everyone, for free."
Israeli Cyber Unit
SlickLogin describes its authentication system as military-grade, which might be taken as hyperbole for many start-ups, but, in this case, all three of the founders -- CEO Or Zelig, CTO Eran Galili, and Vice President for Research and Development Ori Kabeli -- have experience working in the Israeli Defense Forces' elite cyber unit.
John Grady, an analyst with industry research firm IDC, told us that the technology was "definitely interesting." Given that "people hate passwords and passwords are insecure," he said, there's obviously a major opportunity here, and using smartphones as second-factor tokens "obviously becomes easier as they become more ubiquitous."
Grady added that he sees this kind of sound-based system as being "one part of a multi-tiered next-generation authentication mechanism."
The technology began its beta testing phase in September. It could be used as the sole authenticator in place of a username/password, or as a step in a two-step authentication process. The start-up says that Web sites or apps just need to add five lines of code to enable the system. Of course, one potential flaw is if someone physically has possession of your smartphone, which is why the system may make more sense in a two-step authentication.
A variety of technology experiments by several companies are attempting to use transmitted sound as an carrier, including works-in-progress to conduct financial transfers via a high-frequency sound or using sound to transfer files. Some security analysts have said they expect passwords to become part of various two-step authentication systems, particularly for businesses. In addition to a stable step that doesn't change, such as a password or even a biometric like a fingerprint, a generated second step -- like a text code or a generated sound signal sent to a smartphone -- appears to be a likely route.