I think this solves the problem with 2-factor authentication really well. I use 2-factor auth on my Google and Dropbox accounts but it's really frustrating that I have to use the second factor (my phone) and think about another layer of authentication. This means that as long as the second factor is nearby I can login, making it as secure as 2 factor auth but usable as regular username and password authentication. Big kudos to the whole team.
Umm... Doesn't this add an EXTRA step for login? Why do "users love it" then?
I assume the "seamless" part you mention here means that no extra window etc etc... except that after i click login, it's now going to wait for me to pull out my cellphone? What if it isn't around? What if i lose it or I am out of battery?
I mean from a geek's point of view, sure it's pretty darn cool (ps: I am a geek too!) But from a general user perspective, is it really that much more useful?
The problem is that I can take my gf / friend's phone during dinner put it next to my tablet and check their bank account. What are your thoughts on that?
I personally think just QR codes are equally easy. Like random number from server -> computer -> phone -> server which would be same as two factor authentication but in opposite direction.
No, that wouldn't work. The server wouldn't know if the random number they got back really came from the correct phone or was spoofed. The only thing the servwr can control is where it sends the code to - so the best security is sending it to a different device from the one the attacker might be using, the computer.
but two-factor authentication doesn't explain how the actual authentication happens... it's just that there is more than one method in place. being able to peer review the security algorithm/how it's implemented is definitely important.
Exactly. There is plenty of prior art. There is similar things that can be used for 2 factor, etc. I'm not going to Google them all for you but there is a ton of prior art that does the same thing.
I've already got something similar to act as a second factor to allow me to login to my work and home desktop machines...ya. I [and alot of other people] would need to do everything we can to make sure your patent is invalidated to prevent you from trying to sue us for something we've been doing since before you existed.
The latter is a valid question. MailChimp had a post about a year ago [1] where they found that social logins had some negative components. Specifically, that they overall had a lower login rate than the standard username/password. This isn't quite the same, but it IS extra effort for legitimate users to log in.
Also, every new login method requires user training. What does the user education process look like if you had to train and support them on (up to) seven different authentication methods? If a user gets used to one of them (say, proximity), how smoothly can you keep them educated that if they are in the subway, GPS won't work, so they need to try /method X/, then /method Y/, etc. That may be worth the effort to some services where security is absolutely paramount; hopefully anyone using this service builds in some heavy analytics to find out!
You guys are looking at this from a consumer stand point, which I don't think the company is targeting.
The military uses two factor authentication (you need to insert your ID and know your username/password) as well as some corporate consultants. This bypasses the need to create coded ID cards and purchase card readers.
I think people are looking at this from a security standpoint. If it can't be audited by the public, (because it's "proprietary" and presumably closed source) it can't be presumed safe.
This seems like a good idea, but I agree with other comments that undisclosed "proprietary" methods ring some alarm bells. Perhaps they're really talking about the web client <-> personal device connection they've developed, and they're simply layering a standard protocol over the top of that. (If so, just tell us! The secrecy doesn't actually improve your marketing.)
I'm curious as to what form that "local" connection would take. I don't think it's a problem to require an installed app on the personal device, but what are they doing on the web client? Does this require a browser extension to broadcast to/receive from the personal device? Maybe even a driver of some sort? That could make this less convenient than it seems. Sure you can always use the browser on your phone, but then this becomes a lot of rigmarole that reproduces the capabilities of client-side certificates. (Not saying THOSE are easy to use, but that technology already exists.)
My initial thought is this is working via the microphone/speakers on the computer and phone. My second thought is if you don't need to unlock the phone and activate anything I bet this absolutely kills your battery life.
I'd bet the proprietary technology is that the phone constantly emits some tone outside the normal range of human hearing (probably with some time varying value encoded in the frequency of the tone) which the mic on the computer listens for. Once the computer picks up the tone, it decodes the time varying value from the tone and from there proceeds like any other TFA login system.
There's also a question of what happens in a busy setting like say an office environment when multiple people are using this system and say two people attempt to login to a site secured with this at the same time.
> SlickLogin verifies that your smartphone is in proximity to your device using our proprietary technology, no further interaction required. You don't even need to unlock your phone - it's that easy.
I would certainly love this more than typing OTP codes, but what's the recovery method for when I lose my phone? How do you solve the chicken-and-egg of getting users to install and configure the app in the first place?
Maybe this is meant for corporate intranets more than end-users?
"Up to 7 different methods are used to verify the phone's proximity to the computer. These include GPS, WiFi, Bluetooth, NFC, QR codes, and our unique technology, based on audio signals."
How does this work when I need to log in to a new computer and my phone has no internet? As far as I can tell, that would render all of the given methods useless. You're going to need more specifics if you want to convince people that this is both secure and convenient - otherwise we're going to stick with TOTP.
43 comments
[ 3.7 ms ] story [ 106 ms ] threadI assume the "seamless" part you mention here means that no extra window etc etc... except that after i click login, it's now going to wait for me to pull out my cellphone? What if it isn't around? What if i lose it or I am out of battery?
I mean from a geek's point of view, sure it's pretty darn cool (ps: I am a geek too!) But from a general user perspective, is it really that much more useful?
The problem is that I can take my gf / friend's phone during dinner put it next to my tablet and check their bank account. What are your thoughts on that?
Security is a hard problem and one that benefits from having a lot of people try to tear it apart.
Ok. How do I get out of this site?
what? don't.
I've already got something similar to act as a second factor to allow me to login to my work and home desktop machines...ya. I [and alot of other people] would need to do everything we can to make sure your patent is invalidated to prevent you from trying to sue us for something we've been doing since before you existed.
I'm not a lawyer and this is not legal advice. ;)
e.g. http://ubuntuforums.org/showthread.php?t=702372
Seamless Login which users will love.
or:
Seamless Login: which users will love it?
Any MOD here who can edit the grammar of the title ?
Also, every new login method requires user training. What does the user education process look like if you had to train and support them on (up to) seven different authentication methods? If a user gets used to one of them (say, proximity), how smoothly can you keep them educated that if they are in the subway, GPS won't work, so they need to try /method X/, then /method Y/, etc. That may be worth the effort to some services where security is absolutely paramount; hopefully anyone using this service builds in some heavy analytics to find out!
[1] http://blog.mailchimp.com/social-login-buttons-arent-worth-i...
The military uses two factor authentication (you need to insert your ID and know your username/password) as well as some corporate consultants. This bypasses the need to create coded ID cards and purchase card readers.
There is potential but still a few issues.
I'm curious as to what form that "local" connection would take. I don't think it's a problem to require an installed app on the personal device, but what are they doing on the web client? Does this require a browser extension to broadcast to/receive from the personal device? Maybe even a driver of some sort? That could make this less convenient than it seems. Sure you can always use the browser on your phone, but then this becomes a lot of rigmarole that reproduces the capabilities of client-side certificates. (Not saying THOSE are easy to use, but that technology already exists.)
As many comment, this is a pretty vague proposal.
I'd bet the proprietary technology is that the phone constantly emits some tone outside the normal range of human hearing (probably with some time varying value encoded in the frequency of the tone) which the mic on the computer listens for. Once the computer picks up the tone, it decodes the time varying value from the tone and from there proceeds like any other TFA login system.
There's also a question of what happens in a busy setting like say an office environment when multiple people are using this system and say two people attempt to login to a site secured with this at the same time.
That is horrifying.
Maybe this is meant for corporate intranets more than end-users?