Pages:
Author

Topic: [ANN] Clef is secure two-factor authentication with no passwords or tokens - page 5. (Read 15240 times)

hero member
Activity: 692
Merit: 569
tl;dr - to use Clef, you have to trust us, but public key auth is much harder to hack, so the overall security is way stronger

Do you offer a bare-bones open source client? I currently have no way of telling whether the private keys are being shared with your servers or whether they are only stored locally on my phone.

I'd be interested in knowing this too

I also don't see any options to back up my private keys.

What happens if I lose my phone?

This is very good question that I am also having. Your online documentation only talks about public key cryptography and says nothing about where the private keys are stored and their security. I guess the phone is generating a signature using the private key.

Can you put more detail on how this is secure:
  • How is the private key sandboxed? Since the phone is connected to internet , this is a concern for me. Other hardware devices like trezor or bank 2fa h/w devices  are not connected to internet , so it feels safer to me
  • Also I want to know, how are you getting enough entropy for the private key, is the implementation safe( We had same problem with other websites ). Can you open source this part
newbie
Activity: 54
Merit: 0
Decentral Talk Live Ep #67: Brennen Byrne of Clef

Clef's CEO interviewed by Decentral.TV Talk Live during the 2015 Texas Bitcoin Conference.

http://i.imgur.com/99HIMni.png
legendary
Activity: 927
Merit: 1000
Nice article, it explains 2FA really well.

Hope to see Clef on more exchanges, used it on Koinify for the Factom Sale and it works a treat!

yeah, me too. Once you get it set up (which takes max 1 min) it works like a charm  Cool
legendary
Activity: 927
Merit: 1000
We are featured on CoinTelegraph today  Smiley

Security Is More than a Password — It's a Signature


Great article Clef! It's nice to see the community support.
legendary
Activity: 1722
Merit: 1000
Nice article, it explains 2FA really well.

Hope to see Clef on more exchanges, used it on Koinify for the Factom Sale and it works a treat!
legendary
Activity: 1526
Merit: 1014
Very good article, this well explained and even new users can understand all information without problems. It seems much safer than Google Authenticator and from what i 've seen in the video is also simple to use.

Congratulations for your work and thanks for sharing.
legendary
Activity: 927
Merit: 1000
Any news or updates to report? Keep it up!

Make sure you setup clef on your koinify account so your factoids are safe  Smiley

Great, will do!
newbie
Activity: 54
Merit: 0
Any news or updates to report? Keep it up!

Make sure you setup clef on your koinify account so your factoids are safe  Smiley
legendary
Activity: 927
Merit: 1000
Any news or updates to report? Keep it up!
newbie
Activity: 54
Merit: 0
Looking good Clef - I think this will gain traction in crypto, give it time - good luck!

We thank you for the support coinking.  Smiley
legendary
Activity: 927
Merit: 1000
Looking good Clef - I think this will gain traction in crypto, give it time - good luck!
newbie
Activity: 54
Merit: 0
What a great project!

@OP can you add the link to your homepage?
You have link to the docs, apps, etc, but not for the actual homepage: https://getclef.com/
Just link it on your logo pic  Wink

It was linked at the bottom on the "GETCLEF.COM" in orange, also in the "get in touch" section it is the first link on the left.
I have now added it to the blue logo on the top as well.

Thanks for pointing that out.  Smiley
newbie
Activity: 4
Merit: 0

There are two problems with losing your phone:

1) the finder can get into your account
2) the loser can no longer access their account

It's 2) that concerns me. How do I get back into my accounts once I lose the only copy of the required private keys? With google-auth I simply go to the paper backup of the 16 letter secret I made when I set up 2FA.

Yeah, the tradeoff for all of this is how much Clef manages vs. how much users manage their own security process. Tools like Google Authenticator give you more control over the technical process, but that's a lot of rope to let users hang themselves with. The result is that most sites see <1% of users opt-in to using two-factor, and even in Bitcoin that number is less than 15%. For the few users who are technical enough, that helps protect their accounts (unless there is a server breach, phishing, or bucket brigade attack).

Clef sees more than 50% of users opt-in because they don't need to manage any of the process. At the site level, that means a whole lot more users are actually safe and we can reduce fraud by a much more significant factor (as well as protect from more common attacks).

For account reactivation, that focus on usability means we never ask users to write down their key (of the few people who use token-based two-factor, less than 1% write down their backup codes). Instead, we set them up with a new key pair once we confirm their identity with the process I described before.

A little while ago, I had a conversation with 5 ex-DOD white hats about Clef's architecture. At the end of my overview, one of them asked "How do you handle nation-state attacks when they're willing to used advanced interrogation to compromise an account." I told him we weren't solving for that yet Smiley

There are a lot of ways to make theoretical security gains, but the only security that matters is the security you use.  Wink
legendary
Activity: 927
Merit: 1000
really cool idea and implementation, trying out on one of my websites.

good job.

I'd be interested to hear how it goes.
legendary
Activity: 2940
Merit: 1333
We don't have a bare-bones open source client, but we are working on open sourcing all of Clef. While a bare-bones client might be appealing to some really technical users, it could lead to some really confusing (and malicious) options for non-technical users. If there are a plethora of apps that "work" with Clef, how is the average user supposed to know which ones are generating and protecting their keys correctly?

I guess you don't link average users to anything except your polished version. But you make the algorithm public, and such that it can work without using your servers. Like how google-auth works. I don't have to use their app or servers at all to use their authentication protocol, but almost everyone does.

Even open source, we could be compiling something extra into the app, but you can always look at the outgoing traffic from Clef on your phone to see that we're not sending the private keys.

Well, I'd build my own from source to remove that danger.

As for lost phones -- right now you can deactivate a phone by confirming an email and the four digit PIN used to set up the Clef account (this is heavily rate-limited and zero PIN attempts can be made until after the email has been confirmed). In the next few months we'll be rolling out some additional layers of proof to give users more options for resetting their account -- this'll include letting users download their private key and disable all other forms of deactivation/reactivation.

There are two problems with losing your phone:

1) the finder can get into your account
2) the loser can no longer access their account

It's 2) that concerns me. How do I get back into my accounts once I lose the only copy of the required private keys? With google-auth I simply go to the paper backup of the 16 letter secret I made when I set up 2FA.
sr. member
Activity: 476
Merit: 250
really cool idea and implementation, trying out on one of my websites.

good job.
hero member
Activity: 1582
Merit: 502
What a great project!

@OP can you add the link to your homepage?
You have link to the docs, apps, etc, but not for the actual homepage: https://getclef.com/
Just link it on your logo pic  Wink
newbie
Activity: 4
Merit: 0
tl;dr - to use Clef, you have to trust us, but public key auth is much harder to hack, so the overall security is way stronger

Do you offer a bare-bones open source client? I currently have no way of telling whether the private keys are being shared with your servers or whether they are only stored locally on my phone.

I'd be interested in knowing this too

I also don't see any options to back up my private keys.

What happens if I lose my phone?

Thanks for the questions! These are both really interesting things that we think a lot about.

We don't have a bare-bones open source client, but we are working on open sourcing all of Clef. While a bare-bones client might be appealing to some really technical users, it could lead to some really confusing (and malicious) options for non-technical users. If there are a plethora of apps that "work" with Clef, how is the average user supposed to know which ones are generating and protecting their keys correctly?

Even open source, we could be compiling something extra into the app, but you can always look at the outgoing traffic from Clef on your phone to see that we're not sending the private keys.

As for lost phones -- right now you can deactivate a phone by confirming an email and the four digit PIN used to set up the Clef account (this is heavily rate-limited and zero PIN attempts can be made until after the email has been confirmed). In the next few months we'll be rolling out some additional layers of proof to give users more options for resetting their account -- this'll include letting users download their private key and disable all other forms of deactivation/reactivation.
legendary
Activity: 2940
Merit: 1333
tl;dr - to use Clef, you have to trust us, but public key auth is much harder to hack, so the overall security is way stronger

Do you offer a bare-bones open source client? I currently have no way of telling whether the private keys are being shared with your servers or whether they are only stored locally on my phone.

I'd be interested in knowing this too

I also don't see any options to back up my private keys.

What happens if I lose my phone?
Pages:
Jump to: