This past weekend, a small Israeli start-up called SlickLogin announced that it had been acquired by Google.
SlickLogin's technology replaces traditional usernames and passwords with high-frequency sound waves, inaudible to the human ear.
For example, let's say you want to log into your bank's website, or your webmail account, or an online store. Rather than prompt you for a username and password, a SlickLogin-enabled website would play ultrasonic sound through your computer's speakers.
The system uses frequencies that are too high for humans to hear, but are still detectable by a smartphone microphone. Paired with a smartphone app, the two work together to confirm your identity.
SlickLogin's founders say their technology could be used to replace usernames and passwords.
Or, it could be used as an extra layer of security on top of a username and password. This is what's known as two-factor — or two-step — authentication, an approach computer security researchers say is increasingly important.
"Usernames and passwords are being compromised left, right, and centre," explains Anil Somayaji, a computer science professor at Carleton University in Ottawa.
Two-step authentication offers improved security, but it comes at a cost: convenience.
"I use these things, and they're annoying," says Somayaji. "They make it harder to get access to your information."
Security versus usability
Google's existing two-step system requires users to download and install a smartphone app that generates time-limited six-digit codes. It may be more secure than a simple username and password, but it's clunky.
SlickLogin's audio-based technology, meanwhile, aims to crack the usability nut by offering users a way to log in that's both secure and easy to use.
According to Somayaji, the SlickLogin acquisition is all about getting users to trust Google as a safe place to store their email, contacts, documents and photos.
"If you want people to put everything that they have into a remote system, if you lose access to that system in any way, you're in big trouble.
"And part of that is making sure that no one steals access to it. So this is all about them maintaining trust in their solutions."
Barriers to adoption
But if stronger security tools exist, why don't more of us use them?
A big reason has to do with user experience. Quite simply, people won't use two-factor authentication if the tools are difficult to use and if the payoff isn't obvious.
Another factor is what Somayaji calls "inertia." Most of us have been using usernames and passwords for a very long time. We're used to them, and we understand how they work.
"People know what to expect with usernames and passwords," he says. "Anything you do, even if it's easy to use, is different. And that's a barrier."
Beyond users, there is also inertia among developers, the people who build computer systems.
Programmers already know how to design username and password systems. It's the status quo. "When you start introducing these other solutions, they go, 'Uh, what do I do?'" Somayaji says.
Finally, there's the issue of standardization.
SlickLogin is just one example of an alternative login system. But there are many more. There's a lot of experimentation going on, and a single agreed-upon standard hasn't emerged.
"We're going to have to come up with one, or a couple of ways of doing this that people know, and are familiar with, and have wide adoption," Somayaji argues.
"Once that happens, people will know how to use these systems, and will know what to expect.
"But that's going to require the big players really pushing something like this. And they'll run some risks if they push it because they could potentially alienate their users."
Somayaji believes that security and ease of use doesn't have to be a trade-off. Ideally, he says, increased security shouldn't require much (or any) extra work for the user.
"It should just disappear into the background so that users don't have to change their behaviour."