Accurate-enough (sub-second in my case) timing of events + physical proximity (both your browser and the app ask for your location) = a near guarantee that your browser session + your phone is a unique pair. It also asks for confirmation on both the phone and browser to pair the first time.
There's no real chance of this being man-in-the-middled since you have to confirm on both devices. And they're being intelligent about it - I just tried it with two laptops at once, and you get "someone's device" instead of the name of your iThing, and your iThing says "please try again" like this: http://cl.ly/1O33430M0i2c0i2T0z2U
Once you've approved, they have a browser + app pair of cookies for future pairings (not really exploitable, as it runs over https), which strengthens the single-pair guarantee to the point where it's about as good as it gets in any security model.
Groxx|14 years ago
There's no real chance of this being man-in-the-middled since you have to confirm on both devices. And they're being intelligent about it - I just tried it with two laptops at once, and you get "someone's device" instead of the name of your iThing, and your iThing says "please try again" like this: http://cl.ly/1O33430M0i2c0i2T0z2U
Once you've approved, they have a browser + app pair of cookies for future pairings (not really exploitable, as it runs over https), which strengthens the single-pair guarantee to the point where it's about as good as it gets in any security model.
stcredzero|14 years ago
I'll need more convincing.
Once you've approved, they have a browser + app pair of cookies
Exactly what's keeping the cookie on the browser and the phone from being copied?
You must be leaving out some details. This doesn't strike me as "good as it gets."
Ave|14 years ago
I don't know whether it's a good idea or not, but it's certainly a unique concept.