Analysis

Google's SlickLogin: sounds like a good way to protect your password

Google's acquisition of the Israeli start-up SlickLogin on the weekend shows the giant search engine is serious about helping protect usernames and passwords. But these two-stage verification systems are not always user-convenient, Dan Misener reports.

Still, two-step authentication not always the most user friendly

This past weekend, a small Israeli start-up called SlickLoginannounced that it had been acquired by Google. 

SlickLogin's technology replaces traditional usernames and passwords with high-frequency sound waves, inaudible to the human ear.

For example, let's say you want to log into your bank's website, or your webmail account, or an online store. Rather than prompt you for a username and password, a SlickLogin-enabled website would play ultrasonic sound through your computer's speakers.

The system uses frequencies that are too high for humans to hear, but are still detectable by a smartphone microphone. Paired with a smartphone app, the two work together to confirm your identity.

SlickLogin's founders say their technology could be used to replace usernames and passwords.

Or, it could be used as an extra layer of security on top of a username and password. This is what's known as two-factor — or two-step  — authentication, an approach computer security researchers say is increasingly important.

"Usernames and passwords are being compromised left, right, and centre," explains Anil Somayaji, a computer science professor at Carleton University in Ottawa.

Two-step authentication offers improved security, but it comes at a cost: convenience.

"I use these things, and they're annoying," says Somayaji. "They make it harder to get access to your information."

Security versus usability

Giant web companies like Google, Facebook and Twitter already offer two-factor authentication (The website Lifehacker has a good roundup.)  

Google CEO Larry Page is shown here about to enter a secure federal building in San Francisco. If he wanted to enter a secure website, he could use his smartphone to initiate a two-step authentication, like the SlickLogin system he bought on the weekend. (Associated Press)

Google's existing two-step system requires users to download and install a smartphone app that generates time-limited six-digit codes. It may be more secure than a simple username and password, but it's clunky.

SlickLogin's audio-based technology, meanwhile, aims to crack the usability nut by offering users a way to log in that's both secure and easy to use.

According to Somayaji, the SlickLogin acquisition is all about getting users to trust Google as a safe place to store their email, contacts, documents and photos.

"If you want people to put everything that they have into a remote system, if you lose access to that system in any way, you're in big trouble.

"And part of that is making sure that no one steals access to it. So this is all about them maintaining trust in their solutions."

Barriers to adoption

But if stronger security tools exist, why don't more of us use them?

A big reason has to do with user experience. Quite simply, people won't use two-factor authentication if the tools are difficult to use and if the payoff isn't obvious.

Another factor is what Somayaji calls "inertia." Most of us have been using usernames and passwords for a very long time. We're used to them, and we understand how they work.

"People know what to expect with usernames and passwords," he says. "Anything you do, even if it's easy to use, is different. And that's a barrier."

Beyond users, there is also inertia among developers, the people who build computer systems.

Programmers already know how to design username and password systems. It's the status quo. "When you start introducing these other solutions, they go, 'Uh, what do I do?'" Somayaji says.

Finally, there's the issue of standardization.

SlickLogin is just one example of an alternative login system. But there are many more. There's a lot of experimentation going on, and a single agreed-upon standard hasn't emerged.

"We're going to have to come up with one, or a couple of ways of doing this that people know, and are familiar with, and have wide adoption," Somayaji argues.

"Once that happens, people will know how to use these systems, and will know what to expect.

"But that's going to require the big players really pushing something like this. And they'll run some risks if they push it because they could potentially alienate their users."

Somayaji believes that security and ease of use doesn't have to be a trade-off. Ideally, he says, increased security shouldn't require much (or any) extra work for the user.

"It should just disappear into the background so that users don't have to change their behaviour."

About the Author

Dan Misener

CBC Radio technology columnist

Dan Misener is a technology journalist for CBC radio and CBCNews.ca. Find him on Twitter @misener.

Comments

To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.

By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.