You know the security software you’ve created is onto something when Google takes notice and purchases your company.
That’s what happened to SlickLogin, a company from Israel whose software takes the tried and true usernames and passwords and substitutes them with inaudible high-frequency sound waves.
If this “sounds” weird, here’s how the system works. Say you’re ready to log in to your Gmail account, or perhaps sign in to do some banking or shopping. Instead of using a username and password, a website utilizing SlickLogin would play ultrasonic sound through your computer's speakers. The system frequencies pumped out may be audible to Fido, but our human ears can’t process them. Your smartphone’s mic can pick up the sound, and the SlickLogin app is used to confirm your identity.
The app’s founders are banking on their technology to either replace usernames and passwords altogether or be used as an additional layer of security on top of the username/password combo. The latter is known as two-factor—or two-step—authentication, a security mechanism I discussed here.
On the surface, this innovative new approach to login security sounds damn cool - especially when we’re inundated with news of more companies being hacked, the most recent of which being Kickstarter this past weekend. As someone who spent a good part of his life immersed in the world of computer security, I love reading about potentially groundbreaking apps like this. But the devil horn-wearing cynic in me weighs down on my shoulder with much more force than the halo-wearing optimist on the other side.
You see, doing the security two-step is a dance that most users aren’t willing to get out their comfy seats for. With email, shopping, banking, social media, work logins and more, we have far too many passwords to remember as it is. Adding the extra step of using an SMS code or a sound from an app is unfortunately an annoyance to many users. In the CBC report linked above, Anil Somayaji, a computer science professor at Carleton University in Ottawa, sums it up rather simply: ”I use these things, and they're annoying," says Somayaji. "They make it harder to get access to your information.”
Back in 2001, I lived, ate and breathed security as I was studying intensely for the six-hour CISSP (Certified Information Systems Security Professional) exam. What stood out then, and what still holds even more true today, is that people are the weakest link in the security chain. We want access to what we want and we want it now. Adding another step to any login is considered cumbersome; it’s like having to put on a condom when you know your girlfriend or wife is already on the pill.
Over the last week I conducted a very informal poll and asked friends if they used any form of two-factor authentication for any of their logins. The results? Only 1 out of 10 has that extra layer of protection, even though Twitter, Google, Facebook and Microsoft offer that additional security.
As for online banking, most institutions in Canada use a form of security questions and answers (which most users just skip). For further reading on this, The Globe And Mail has an informative report.
Will the security world ever catch up and create that holy trinity of ease-of-use, convenience and impenetrable systems? As a newly minted security professional 13 years ago, I was hopeful that by the year 2014 the good guys would be ahead of the game. But the security world hasn’t adapted enough. Hackers are winning, and it’s not even a fair fight. As we become more reliant on the cloud, we’ve got to be a lot more proactive about our data.
It’s only going to get worse.
Still, there are good companies out there like SlickLogin that are fighting the fight and doing what they can to make the online world a safer place. It’s progress, and at least we have that to go on.