SlickLogin buy may not have the answers
Wait to see if Google acquisition will help perennial password problems, says Steven Hope
We were very pleased to see that Google is expanding its search for better authentication techniques than passwords beyond OATH after the acquisition of SlickLogin.
SlickLogin focuses on an important piece of the authentication puzzle: ease and simplicity for the user. The idea of just placing your phone near your laptop to log in sounds cool and simple, and as it is based on sound waves it doesn't need specialised hardware such as Bluetooth or RFID, which is not typical for these kinds of system.
There are other products on the market that make use of simple ways to connect the PC and phone for authentication, for example a QR code via the camera.
As such, this is not a new scenario, just a new communications medium. However, the day-to-day practicalities are yet to be understood. For example, what if my PC is set to use my Bluetooth headphones for audio instead of my speakers?
As the app needs to 'listen' for sound, it either needs to be running all the time – which would use up battery power – or you would have to start it up when you want to use it, which makes it no different from other smartphone app-based systems.
Additionally, it requires data connectivity to verify the login. As such, it could be argued that a totally out-of-band data-driven app that uses a toast pop-up with an 'OK' button would be easier and more secure, or at least more reliable and consistent.
Back to the password problem. SlickLogin claims it can augment or replace a password. If you are just adding a token to a password then, from a security point of view, it is no more secure than OATH, since every time you log in with a password or PIN you give away your secret.
If you used SlickLogin to replace a password completely, you would need only to put your phone near your PC to log in, which would seem slick and simple indeed, but it is still only one-factor authentication.
Worse still, if somebody left their phone on their desk to pop out for a coffee, that's a very easy hack.
While this acquisition has indeed made headlines and reminds us that we need to move beyond passwords, we will wait and see what realistic scenarios in which Google can make the technology work securely.
Steven Hope is chief executive of Winfrasoft