Gaaark writes:
Google acquires SlickLogin: dogs go wild!
SlickLogin, an Israeli start-up, is behind the technology that allows websites to verify a user's identity by using sound waves. It works by playing a uniquely generated, nearly-silent sound through your computer speakers, which is picked up by an app on your smartphone. The app analyses the sound and sends a signal back to confirm your identity.
The firm confirmed the acquisition on its website but did not provide any financial details of the deal.
Too bad they don't still put whistles inside packages of Cap'n Crunch cereal!
This discussion has been archived.
No new comments can be posted.
Google Buys Sound Authentication Firm SlickLogin
|
Log In/Create an Account
| Top
| 1000 moderator points
| 42 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(Score: 1) by koreanbabykilla on Monday February 17 2014, @09:21PM
This should make work interesting if it becomes popular.
(Score: 5, Interesting) by siliconwafer on Monday February 17 2014, @09:25PM
I wonder how close to "silent" it really is. What if my PC's volume is maxed? Or muted? What if I use headphones?
(Score: 5, Insightful) by Khyber on Monday February 17 2014, @09:28PM
Even better, what if my speakers don't have the response range to reproduce that frequency?
D'oh!
Destroying Semiconductors With Style Since 2008
(Score: 2) by Angry Jesus on Monday February 17 2014, @11:00PM
Even better, what if my speakers don't have the response range to reproduce that frequency?
Pick a frequency that any consumer grade speaker will be able to reproduce, like something in the human vocal range?
Use more than one frequency?
It's weird how people play dumb when trying to shoot something down, as if their lack of imagination proves that someone else is incompetent.
(Score: 5, Insightful) by KibiByte on Monday February 17 2014, @11:06PM
The problem here is 'nearly silent' which pretty much indicates to me that this would be done around the outside of the typical range of hearing for an adult but is still reproducible by typical consumer-grade hardware. That's roughly a range of 6KHz to play around in, for most adults.
But the problem is making sure nobody else is hearing it, which means low power. Higher frequencies require higher amounts of power to go any truly appreciable distance. Inverse square makes this even worse.
This is similar to the 'audio bug' that was discussed on other sites last month. Just as infeasible now as it was then.
The One True Unit UID
(Score: 3, Informative) by Angry Jesus on Tuesday February 18 2014, @12:38AM
I think you are reading more into "nearly silent" than is there. It could simply refer to volume. After all, part of the description is that the user holds his phone up to the speaker.
(Score: 1) by dmc on Tuesday February 18 2014, @01:19AM
"
I think you are reading more into "nearly silent" than is there. It could simply refer to volume. After all, part of the description is that the user holds his phone up to the speaker.
"
I wanted to mod you informative for RTFA, but I wanted even less to RTFA myself. Until you said this, I too was presuming it was less user-intensive than holding the phone up to a speaker that isn't muted (e.g. due to headphone usage). I of course thought that due to remembering the audio-transmission virus some security research detected that is an attack against non(traditionally)networked systems. (it wasn't actually infection while offline, but reinfection using the audio-networking to get the full virus code back after a ram/disk wipe. I.e. advanced persistent threat hiding in firmware that is just smart enough to be able to fetch the rest of its code from network if available, or even over the air with such inaudible audio if need be)
(Score: 1) by dilbert on Tuesday February 18 2014, @10:26AM
(Score: 1) by dilbert on Tuesday February 18 2014, @10:30AM
http://arstechnica.com/security/2013/10/meet-bad bios-the-mysterious-mac-and-pc-malware-that-jumps- airgaps/
(Score: 5, Informative) by Angry Jesus on Tuesday February 18 2014, @01:45AM
This is similar to the 'audio bug' that was discussed on other sites last month. Just as infeasible now as it was then.
I missed that line when I first responded. You need to read this paper.
http://www.jocm.us/index.php?m=content&c=index&a=s how&catid=124&id=600 [www.jocm.us]
Some scientists at Fraunhofer were able to do exactly what the BadBios guy was claiming - covert acoustical mesh networking using nothing more than off-the-shelf lenovo laptops and well-known software algorithms. Nothing about viral replication, just the acoustic data transmission part.
(Score: 1) by KibiByte on Tuesday February 18 2014, @02:11AM
That's a pretty good read. Sadly, it appears they're using the same models and units. I'd like to see this done across different units with similar results, as one of the original BadBios claims was something that could infect any computer, running any OS.
The One True Unit UID
(Score: 0) by Anonymous Coward on Thursday March 06 2014, @05:08AM
mM7Pgd wine , garcinia cambogia extract [studioxnyc.com], [url=http://studioxnyc.com/]garcinia cambogia extract[/url], http://studioxnyc.com/ [studioxnyc.com] garcinia cambogia extract, 670,
(Score: 1) by Popeidol on Tuesday February 18 2014, @12:39AM
It could handle that with a negotiation phase, like dial-up modems. Initial contact is made at a frequency that all functional speakers and microphones can handle, and it steps up from there until they reach failure (or a predetermined max). Then they drop to the last known good frequency and start the verification.
You could make it pretty fast, and aside from an initial chirp it'd happen as quietly as your equipment allows.
(Score: 5, Insightful) by everdred on Monday February 17 2014, @09:23PM
Or another one nearby?
We don't take no shit from a machine.
(Score: 2, Insightful) by KibiByte on Monday February 17 2014, @09:25PM
That was my exact same thought. But then again, physical presence is always the greatest security threat.
The One True Unit UID
(Score: 1) by efernsler on Monday February 17 2014, @09:26PM
Exactly. One wonders what 'nearby' means to the audio signal. 1'? 5"?
(Score: 5, Insightful) by Nerdfest on Monday February 17 2014, @09:30PM
If I were to do something like this, the server would encrypt a random number with the public key of the client. The client would decrypt, and send it back encrypted with the public key of the server. If the numbers matched, you get authenticated. I'm not a cryptography or authentication expert, but I'm pretty sure that would work without any problem with eavesdropping. I'm really hoping they didn't get a patent on this ...
(Score: 2, Insightful) by everdred on Monday February 17 2014, @09:40PM
Ah, so the phone would have to have been already authenticated; this is just checking to see if the known phone is present?
I imagined the idea behind this tech was to easily pair devices.
We don't take no shit from a machine.
(Score: 2, Funny) by Nerdfest on Monday February 17 2014, @10:07PM
Following a fine tradition, I didn't read TFA, am studying for a beer exam (yes, really), and came up with this in less than 10 seconds. It seems to me to be a great way to do a key exchange based authentication, but it was admittedly a very quick effort that may be flawed.
(Score: 2, Funny) by Gaaark on Monday February 17 2014, @11:46PM
Is that an oral exam?
Me hop(p)ing so! :)
Stout fellow, you! (Now where's that Porter with my beer?)
This Sig for sale... beer IS an acceptable currency (bitBeer?).
(Score: 1) by Qzukk on Monday February 17 2014, @10:35PM
That seems to be the point of it: to authenticate using the proximity of your phone to the computer's speakers. Since the computer and the phone would need to communicate (either directly or indirectly) for the computer to know that the phone had received the signal and OK'd it, I'd expect this to be the second factor in 2FA (so the computer already knows which phone it should expect confirmation from).
Nifty, but it's basically just saving 6 keystrokes for Google Authenticator.
(Score: 2, Informative) by edIII on Tuesday February 18 2014, @06:15PM
That's really no different of an authentication scheme than one that just goes through the Internet. Authentication is performed because the smartphone decrypted a payload to send back. That smartphone still needed to be secured through other means.
What this is really more like is out-of-band key exchange.
Website sends random number in plain-text. Smartphone detects random number. Smartphone applies agreed upon mixing procedure (probably traditional crypto) and sends back through communications medium that is different than website-device being authenticated.
An eavesdropper would need to present in all 3 mediums, as well as the attacker. Website-Internet, Physical Environment, Smartphone-Internet.
Out-of-band is not a new concept either. Google already has a patent on another form of out-of-band key exchange.
(Score: 5, Interesting) by tftp on Monday February 17 2014, @09:26PM
The SlickLogin's web site says nothing about the mechanics. I can imagine that the sound is a random challenge; the phone would decode it, encrypt with personal key, perhaps tied to the unique serial number of the phone, and send it to the site... but what's the point of the audio segment? Wouldn't it be better to, say, display a full screen QR code for the phone to read? How would you even identify the phone reliably, if the attacker can duplicate that number with ease?
I can also think of other issues with this scheme. Without knowing more, I wouldn't be too interested in this company.
(Score: 1) by everdred on Monday February 17 2014, @09:29PM
> but what's the point of the audio segment? Wouldn't it be better to, say, display a full screen QR code for the phone to read?
For mobile devices without cameras? Do those still exist?
We don't take no shit from a machine.
(Score: 1) by regift_of_the_gods on Monday February 17 2014, @09:50PM
Or send a string of five or six base64 characters to the phone screen that the user has to enter into the web site authentication dialog. Yeah, I'm not sure why the audio makes it stronger. Seems to be based on what you have - the phone running the SlickLogin app - with a weak second factor based on positional data.
(Score: 1) by tftp on Monday February 17 2014, @10:50PM
The authentication is *only* based on what you have because no action on your part is required. This is good for the Twitbook generation who cannot be bothered to enter passwords. However this is bad if you leave your phone at the desk and go to the bathroom because anyone can log in as you.
I do not understand why the phone can even be that "something you have" - phones are not unique, and they are not tamper-proof. There are a few serial numbers in each phone, but you can always run the code in a VM (just as it runs on the phone itself) and fake those numbers.
Yet another aspect is that phones have short life. Cellular providers push for a 2-year replacement plan to keep the users under the contract. However it would be impractical to update login information for all your sites, especially if the old phone is gone (and it is, since you move the service onto the new one.) Phones are often lost or damaged. I understand that all the entrepreneurs in the world, like this gang, are dreaming up the new ways of using the phone... but this auth method appears to be overly complicated. Sure, two factor and all that is good for you, but people who know about security will never trust this method, and people who don't want to know about security will use a password that reads as "password." In other words, nothing will change.
(Score: 1) by regift_of_the_gods on Monday February 17 2014, @11:29PM
I assumed the smartphone has a chip with a private key or some other secret that can securely identify itself to service providers when placing or accepting a call. That's what I meant. I don't know the details.
(Score: 1) by tftp on Tuesday February 18 2014, @12:22AM
I assumed the smartphone has a chip with a private key or some other secret that can securely identify itself to service providers when placing or accepting a call
A phone (smart or not) does have such an ID. However, it is not tamper-proof, and it can be simulated. Besides, this ID is only available to the cellular provider; they need it to know what phones to service and what phones to reject. If a Java application on a smartphone opens a TCP connection to a 3rd party server, there will be no such information embedded. You only get the IP address. The HTTP request may contain some headers... but they are only what YOU send; and you can send whatever you want. In other words, your phone can only authenticate to the cellular provider, but not to 3rd parties. This is good because otherwise your phone can be uniquely identified and tracked by every web site in existence.
In order to securely authenticate on application level the phone has to have some TPM hardware [trustedcom...ggroup.org]. I do not think that today's smartphones have TPM despite the obvious interests of TPM vendors. Eventually this may happen.
(Score: 1) by siliconwafer on Monday February 17 2014, @09:33PM
How I would implement it: Computer sends a unique sequence of data at every login attempt as barely audible 60wpm morse code. Have the phone hash it using some salted key that is unique to the phone, and have the phone echo the hash back for matching purposes with whatever is in the database. Oh yeah, and ROT13 for good measure.
But a random sound? That's no fun. I want to pick a custom one, kind of like a ring-tone. And I request this one.
http://www.youtube.com/watch?v=qjPQYdTYmKM [youtube.com]
(Score: 3, Interesting) by Angry Jesus on Monday February 17 2014, @09:41PM
My guess is that they are "fingerprinting" the phone's microphone in order to make it into a unique token. Kind of like the way every camera lens uniquely distorts images so that if you know what the picture should look like you can figure out which camera took the picture by comparing the differences between original and photograph.
(Score: 1) by Nerdfest on Monday February 17 2014, @10:02PM
Probably not reliable enough and wouldn't work for people with multiple devices. Great idea if there's enough identifiable distinction though.
(Score: 4, Informative) by tftp on Monday February 17 2014, @10:04PM
My guess is that they are "fingerprinting" the phone's microphone in order to make it into a unique token.
Impossible for 3 reasons:
(Score: 2, Informative) by Angry Jesus on Monday February 17 2014, @10:55PM
1. Many phones may have the same characteristics of their microphones (they are repeatably made)
Manufacturing tolerances always vary, especially for consumer-grade equipment. The chance that someone trying to crack your account has the same set of variations is going to be small. This isn't the kind of thing that needs to be perfect, it just needs to be good enough, like the iphone's fingerprint sensor.
2. The phone's response is affected by the environment (echo, attenuation, external noises, holsters, bumpers, hands.)
Those are all of a completely different category of variations. Echo? That's time-domain, not even frequency domain.
3. The speakers that emit the sound are part of the deal... and you do not authenticate with them.
Doesn't matter, that's just noise to be filtered out. Sure, if the speakers are really bad, then it will be too noisy to work. But see the first point -- it just has to be good enough, not perfect.
(Score: 2, Informative) by tftp on Tuesday February 18 2014, @01:38AM
Manufacturing tolerances always vary, especially for consumer-grade equipment.
It takes pretty good test equipment (Rohde & Shwartz) and an anechoic chamber to decently characterize a microphone. I made some measurements in such a lab in university. I cannot imagine what can you measure in open air, using random sources that are "barely audible" and in presence of stray signals.
Echo? That's time-domain, not even frequency domain.
Praise Fourier that they are not two interchangeable representations of the same physical process :-) In this case the echo will add another component, with the same frequency and a different phase. These components will add up, changing the amplitude of the resulting response... but since this is frequency-dependent (the delay is a fixed time,) the frequency response gets peaks and valleys. That's how those loudspeakers' enclosures shape the frequency response - by using boundary conditions.
Doesn't matter, that's just noise to be filtered out.
The frequency response of the system is mic(f) * speakers(f). If speakers change, the response changes as well. Since speakers and microphones are horribly nonlinear, harmonic content will be also severely affected by different speakers.
(Score: 1) by Angry Jesus on Tuesday February 18 2014, @02:08AM
It takes pretty good test equipment (Rohde & Shwartz) and an anechoic chamber to decently characterize a microphone.
You are thinking about it completely in reverse - this isn't about minimizing distortion, it is simply about distinguishing between different units. Similar to the way that forensic DNA matching only looks at 10-12 markers when that is a tiny fraction necessary to describe a human.
The frequency response of the system is mic(f) * speakers(f). If speakers change, the response changes as well
That's far too simplistic. Off the top of my head I can think of at least one method that isn't affected so straight-forwardly - measuring harmonic response ratios. Even if the speakers' output levels vary at a specific frequency, the microphone will have its own set of harmonics in relation to the generated tones. The speaker will have its own harmonics too, but all that extra noise won't matter because we are only looking for the harmonic signature of the microphone. I'm sure there are other relationships that could be profiled if someone were to spend more than 30 seconds thinking about it.
(Score: 1) by edIII on Tuesday February 18 2014, @06:19PM
It's a novel form of out-of-band key exchange.
In of itself, it does not seem to be anything special, or tremendously difficult to hack. It just sounds like a really cool idea, and sometimes it really is just the story, or form over function.
However, it does seem that you would need to attack multiple networks simultaneously. That raises the bar somewhat, but nothing that would seem to frustrate the NSA too much. I've bet they seen much harder nuts to crack in the TAO. .... That being said though, how many smartphones suffer from malware and their own dedicated industry providing smartphone malware tools?
(Score: 4, Funny) by internetguy on Monday February 17 2014, @09:42PM
My Voice Is My Passport, Verify Me.
Sig: I must be new here.
(Score: 1) by wjwlsn on Monday February 17 2014, @09:59PM
Loved that movie. Seems quaint now.
I am a traveler of both time and space. Duh.
(Score: 3, Interesting) by combatserver on Monday February 17 2014, @10:02PM
"My Voice Is My Passport, Verify Me."
Now we know why the computer on the Enterprise in Star Trek seemed to pass out information about other crew members like cookies--it was verifying security status of the person talking, not only by a signal from the person's communicator (tech in the article!), but by voice recognition as well, for secondary confirmation.
I am beginning to think that all the wild tech we are seeing in the last 10-15 years was designed decades ago and was "leaked" via Star Trek in an effort to acclimatize us to the lack of privacy said tech would inevitably lead to.
I hope I can change this later...
(Score: 1) by dmc on Tuesday February 18 2014, @01:35AM
"
I am beginning to think that all the wild tech we are seeing in the last 10-15 years was designed decades ago and was "leaked" via Star Trek in an effort to acclimatize us to the lack of privacy said tech would inevitably lead to.
"
I think there have only been about 10 trek episodes that covered that theory. Personally I'm pretty sure The X-Files was authorized by the Clintons as a way to reveal classified truths that the overlords don't feel we are ready to know without wrapping them up in several layers of extended metaphor. I'm from Kansas in the heart of the Bible Belt. I can sympathize with the overlords if for instance 15 years ago clear-cut evidence of (e.g. simple non-sentient) life was detected on mars. People around here couldn't have dealt with that reality 15 years ago. Today, maybe. For instance, I recall clearly personally predicting the existence of life more toward the hot-core of the earth a couple years before scientists were 'shocked' to find it (e.g. the hot vents at the bottom of the ocean). After staring at Conway's game of life enough, I find it extremely hard to believe that wherever there are high amounts of energy (earth's core, sun, surface of mars) that life wouldn't find a way to emerge easily enough. Call me crazy all you want- I'll be amused to look back at this comment in 2 or 3 decades if I'm still alive.
(Score: 1) by Subsentient on Monday February 17 2014, @11:14PM
Google must be stopped. Badly.
(Score: 1) by Cyberdyne on Tuesday February 18 2014, @02:08PM
Stopped badly, or stopped effectively?