The password needs to die, and SlickLogin is trying to help kill it.
Launching into closed beta in the Disrupt SF 2013 Battlefield today, SlickLogin lets you log into a website on your computer by holding your phone within a few inches of it.
Here’s the idea: as a user, you’d go to whatever SlickLogin-enabled site you’d like to log in to. Tap the login button, hold your phone up close to the laptop, and you’re in. SlickLogin can be used either as a secondary verification layer to your existing credentials (think RSA keys or an SMS-based two factor system, without having to type any codes), or, if the service provider chooses, can forego username/password typing all together.
So, how does it work?
SlickLogin can use a bunch of protocols to start verifying your phone’s position: WiFi, Bluetooth, NFC, visual markers like QR codes, and of course, GPS. Their self-dubbed “secret sauce”, though, is their use of uniquely generated sounds intentionally made inaudible to the human ear. Your computer plays the sound through its speakers, while an app on your smartphone uses the device’s built-in microphone to pick up the audio.
Once it processes the sound and identifies that it’s you (or at least, someone with your phone) standing in front of your computer, it sends the green light up to the server to let you log in. SlickLogin doesn’t require your company to build a whole new mobile app; instead, you just add 5 lines of code to your existing app.
This isn’t the first time we’ve seen high-frequency sound used to transfer data, of course. The as-yet unlaunched payments service Clinkle is said to use high frequency sounds to let users send money to others nearby. SonicNotify is using the concept to let TV advertisers and retail stores send content to handsets. Chirp is trying to build an entire file transfer protocol based on the idea. It is, however, the first time I’ve seen it used for logins and two-factor authentication.
My immediate concern with this was one I’d imagine most users would have: how secure is it?
I spoke with SlickLogin’s founders for quite a while about security, and it seems like they have their bases covered (or, at least, the various bases I could think of without a heavy security background) — which makes sense, given that all 3 of the founders are graduates of the Israeli Defense Force unit that specializes in security.
Everything is very heavily encrypted, so man in the middle attacks are out. You can’t record the audio signal and just play it back later, as the audio is uniquely tied to that moment. You can’t just hold your phone up to someone else’s audio signal (or grab it from across the room with a directional mic) in hopes of getting logged in to their account before they do; your phone wouldn’t have their login credentials stored on it, and that crucial bit isn’t wrapped into the sound. If anything, you’d just log them in to your own account.
And if someone steals your phone?
“If they can get into your phone, they have access to your accounts already,” the founders responded.
Curiously, SlickLogin does let service providers choose to allow users to log in without actually unlocking their phones, which seems a bit risky. SlickLogin says they want services to be able to set their security standards as they see fit.
SlickLogin says they’re working on a proof of concept implementation with a “major international bank” (though they didn’t specify which).
The service is rolling into a closed beta later today; if you’re interested in experimenting with it on your site, you can find the sign-up box at the bottom of this page.
We’ll have a video of their on-stage demo/presentation up shortly.
Question & Answer From Disrupt Judges
I use two-factor authentication. What would be the main competitor to switch all of us over to slick-login?
The seamlessness for the user. We’re also more cost effective, because we don’t require any new hardware.
What’s generating the signal?
So if I have my laptop muted it won’t work?
We’ll detect that we can’t hear anything and ask you to turn your speakers up.
Does the signal change with each login?
It’s a different key. Completely different.
Does my phone need to be connected to the Internet?
Right now, yes. But we’ve got a patent pending for a method that works without it.
How do you turn this into a company? So that it’s more than just a cool feature?
We will work with large enterprises to provide security for their users and their employees.