Topic: [ANN] Clef is secure two-factor authentication with no passwords or tokens - page 5. (Read 15215 times)

This is very good question that I am also having. Your online documentation only talks about public key cryptography and says nothing about where the private keys are stored and their security. I guess the phone is generating a signature using the private key.

Can you put more detail on how this is secure:

• How is the private key sandboxed? Since the phone is connected to internet , this is a concern for me. Other hardware devices like trezor or bank 2fa h/w devices  are not connected to internet , so it feels safer to me
• Also I want to know, how are you getting enough entropy for the private key, is the implementation safe( We had same problem with other websites ). Can you open source this part

yeah, me too. Once you get it set up (which takes max 1 min) it works like a charm 

Great article Clef! It's nice to see the community support.

Nice article, it explains 2FA really well.

Hope to see Clef on more exchanges, used it on Koinify for the Factom Sale and it works a treat!

Very good article, this well explained and even new users can understand all information without problems. It seems much safer than Google Authenticator and from what i 've seen in the video is also simple to use.

Congratulations for your work and thanks for sharing.

Great, will do!

Make sure you setup clef on your koinify account so your factoids are safe 

Any news or updates to report? Keep it up!

We thank you for the support coinking. 

Looking good Clef - I think this will gain traction in crypto, give it time - good luck!

It was linked at the bottom on the "GETCLEF.COM" in orange, also in the "get in touch" section it is the first link on the left.
I have now added it to the blue logo on the top as well.

Thanks for pointing that out. 

Yeah, the tradeoff for all of this is how much Clef manages vs. how much users manage their own security process. Tools like Google Authenticator give you more control over the technical process, but that's a lot of rope to let users hang themselves with. The result is that most sites see <1% of users opt-in to using two-factor, and even in Bitcoin that number is less than 15%. For the few users who are technical enough, that helps protect their accounts (unless there is a server breach, phishing, or bucket brigade attack).

Clef sees more than 50% of users opt-in because they don't need to manage any of the process. At the site level, that means a whole lot more users are actually safe and we can reduce fraud by a much more significant factor (as well as protect from more common attacks).

For account reactivation, that focus on usability means we never ask users to write down their key (of the few people who use token-based two-factor, less than 1% write down their backup codes). Instead, we set them up with a new key pair once we confirm their identity with the process I described before.

A little while ago, I had a conversation with 5 ex-DOD white hats about Clef's architecture. At the end of my overview, one of them asked "How do you handle nation-state attacks when they're willing to used advanced interrogation to compromise an account." I told him we weren't solving for that yet

There are a lot of ways to make theoretical security gains, but the only security that matters is the security you use. 

I'd be interested to hear how it goes.

I guess you don't link average users to anything except your polished version. But you make the algorithm public, and such that it can work without using your servers. Like how google-auth works. I don't have to use their app or servers at all to use their authentication protocol, but almost everyone does.


Well, I'd build my own from source to remove that danger.


There are two problems with losing your phone:

1) the finder can get into your account
2) the loser can no longer access their account

It's 2) that concerns me. How do I get back into my accounts once I lose the only copy of the required private keys? With google-auth I simply go to the paper backup of the 16 letter secret I made when I set up 2FA.

really cool idea and implementation, trying out on one of my websites.

good job.

What a great project!

@OP can you add the link to your homepage?
You have link to the docs, apps, etc, but not for the actual homepage: https://getclef.com/
Just link it on your logo pic 

Thanks for the questions! These are both really interesting things that we think a lot about.

We don't have a bare-bones open source client, but we are working on open sourcing all of Clef. While a bare-bones client might be appealing to some really technical users, it could lead to some really confusing (and malicious) options for non-technical users. If there are a plethora of apps that "work" with Clef, how is the average user supposed to know which ones are generating and protecting their keys correctly?

Even open source, we could be compiling something extra into the app, but you can always look at the outgoing traffic from Clef on your phone to see that we're not sending the private keys.

As for lost phones -- right now you can deactivate a phone by confirming an email and the four digit PIN used to set up the Clef account (this is heavily rate-limited and zero PIN attempts can be made until after the email has been confirmed). In the next few months we'll be rolling out some additional layers of proof to give users more options for resetting their account -- this'll include letting users download their private key and disable all other forms of deactivation/reactivation.

I also don't see any options to back up my private keys.

What happens if I lose my phone?