Pages:
Author

Topic: [ANN] Clef is secure two-factor authentication with no passwords or tokens - page 4. (Read 15240 times)

legendary
Activity: 1484
Merit: 1004
Just a question, Is waltz is the only system to use clef?? Just wondering.
I guess Clef created Waltz too ?
legendary
Activity: 1722
Merit: 1000

Bitcoin news site, Bitcoins in New York City now supports Clef login!
Check it out: http://bitcoinsin.nyc/



Nice to see Clef getting integrated in more and more Crypto related sites and tools. Way to go!  Grin
newbie
Activity: 54
Merit: 0
http://i.imgur.com/Co1SqPO.png

Bitcoin news site, Bitcoins in New York City now supports Clef login!
Check it out: http://bitcoinsin.nyc/


newbie
Activity: 54
Merit: 0
Could you check with koinify. I cant connect with Waltz and Koinify.

Thanks  Wink

We suggest checking with Koinify first at [email protected].
legendary
Activity: 1484
Merit: 1004
Could you check with koinify. I cant connect with Waltz and Koinify.

Thanks  Wink
newbie
Activity: 54
Merit: 0
Great Job Clef Team! Its working perfectly!  Grin

We are happy to be of help. Thanks for the feedback.  Smiley Wink Cheesy
legendary
Activity: 1484
Merit: 1004
Great Job Clef Team! Its working perfectly!  Grin
sr. member
Activity: 251
Merit: 250
We are glad to be able to help improve security on Koinify.com.
Best wishes to both the Koinify and Factom teams with their ongoing Software Sale!

We thank you for making the login process on Koinify easier and for the support!
newbie
Activity: 54
Merit: 0
We are glad to be able to help improve security on Koinify.com.
Best wishes to both the Koinify and Factom teams with their ongoing Software Sale!


http://i.imgur.com/CKfrQHf.png

As featured on Bitcoinist.net
http://i.imgur.com/7hFexCS.png

 Looks like there's some good connections being made. Looking forward to more!

Make sure you listen in the coming weeks for more great announcements  Grin
legendary
Activity: 927
Merit: 1000
We are glad to be able to help improve security on Koinify.com.
Best wishes to both the Koinify and Factom teams with their ongoing Software Sale!




As featured on Bitcoinist.net

 Looks like there's some good connections being made. Looking forward to more!
newbie
Activity: 54
Merit: 0
We are glad to be able to help improve security on Koinify.com.
Best wishes to both the Koinify and Factom teams with their ongoing Software Sale!


http://i.imgur.com/CKfrQHf.png

As featured on Bitcoinist.net
http://i.imgur.com/7hFexCS.png
newbie
Activity: 54
Merit: 0
I did a little op-ed on clef, I hope you enjoy it

http://bitsofnews.net/more-than-just-an-authenticator/

We appreciate the support bassguitarman, good read!  Smiley

Are you planning to use or have been using Clef?
legendary
Activity: 927
Merit: 1000
I did a little op-ed on clef, I hope you enjoy it

http://bitsofnews.net/more-than-just-an-authenticator/

Nice article bassguitarman! Nothing like an outside review of a service. Cheers for that.
hero member
Activity: 728
Merit: 500
hero member
Activity: 692
Merit: 569

This is very good question that I am also having. Your online documentation only talks about public key cryptography and says nothing about where the private keys are stored and their security. I guess the phone is generating a signature using the private key.

Can you put more detail on how this is secure:
  • How is the private key sandboxed? Since the phone is connected to internet , this is a concern for me. Other hardware devices like trezor or bank 2fa h/w devices  are not connected to internet , so it feels safer to me
  • Also I want to know, how are you getting enough entropy for the private key, is the implementation safe( We had same problem with other websites ). Can you open source this part

Good questions Smiley

The private keys are generated and stored on the phone -- on iOS we get to use hardware encryption and on Android we use PIN-based encryption (though we're considering using something like Rivetz here).

We use the standard system libraries for both platforms to generate the keys which offer plenty of entropy for this kind of usage (http://android-developers.blogspot.de/2013/08/some-securerandom-thoughts.html -- the SecureRandom patch of course happening after August 2013).

As for being Internet connected -- when we talk about theoretical security, an Internet-connected phone will never provide the same level of protection as a dedicated offline device. That said, dedicated devices as they exist today are all seed-based (and so must have a server counterpart that stores the exact same seed and which IS Internet connected as well as centralized). A key based, dedicated offline device is definitely possible, but the infeasibility of distributing them along with the increased burden of training people how to use them make them pretty farfetched for a broad audience.

Great. Good to know you guys have put enough thought into the security. Thumbs up for clef
hero member
Activity: 623
Merit: 500
CTO, Ledger
That said, dedicated devices as they exist today are all seed-based (and so must have a server counterpart that stores the exact same seed and which IS Internet connected as well as centralized).

Do you know FIDO ? Devices are already available, cheap, extremely simple to use, and based on open standards.
newbie
Activity: 4
Merit: 0

This is very good question that I am also having. Your online documentation only talks about public key cryptography and says nothing about where the private keys are stored and their security. I guess the phone is generating a signature using the private key.

Can you put more detail on how this is secure:
  • How is the private key sandboxed? Since the phone is connected to internet , this is a concern for me. Other hardware devices like trezor or bank 2fa h/w devices  are not connected to internet , so it feels safer to me
  • Also I want to know, how are you getting enough entropy for the private key, is the implementation safe( We had same problem with other websites ). Can you open source this part

Good questions Smiley

The private keys are generated and stored on the phone -- on iOS we get to use hardware encryption and on Android we use PIN-based encryption (though we're considering using something like Rivetz here).

We use the standard system libraries for both platforms to generate the keys which offer plenty of entropy for this kind of usage (http://android-developers.blogspot.de/2013/08/some-securerandom-thoughts.html -- the SecureRandom patch of course happening after August 2013).

As for being Internet connected -- when we talk about theoretical security, an Internet-connected phone will never provide the same level of protection as a dedicated offline device. That said, dedicated devices as they exist today are all seed-based (and so must have a server counterpart that stores the exact same seed and which IS Internet connected as well as centralized). A key based, dedicated offline device is definitely possible, but the infeasibility of distributing them along with the increased burden of training people how to use them make them pretty farfetched for a broad audience.
full member
Activity: 152
Merit: 100
started using Clef and noticed that the app logs me out of everything when I'm asleep - it's a good feature and yea I know I should log out of everything when I leave the site but apparently I forget.

legendary
Activity: 927
Merit: 1000
Decentral Talk Live Ep #67: Brennen Byrne of Clef

Clef's CEO interviewed by Decentral.TV Talk Live during the 2015 Texas Bitcoin Conference.



Nice vid, it's good to see the faces behind Clef.
hero member
Activity: 560
Merit: 500
I think the project is pretty cool. What I like is a function to backup your data. For example if I would lose my phone with Google Authenticator, I could never access my funds on an online wallet like blockchain.info again...
Pages:
Jump to: