Pages:
Author

Topic: [ANN] Clef is secure two-factor authentication with no passwords or tokens - page 6. (Read 15221 times)

legendary
Activity: 927
Merit: 1000
tl;dr - to use Clef, you have to trust us, but public key auth is much harder to hack, so the overall security is way stronger

Do you offer a bare-bones open source client? I currently have no way of telling whether the private keys are being shared with your servers or whether they are only stored locally on my phone.

I'd be interested in knowing this too
legendary
Activity: 2940
Merit: 1333
tl;dr - to use Clef, you have to trust us, but public key auth is much harder to hack, so the overall security is way stronger

Do you offer a bare-bones open source client? I currently have no way of telling whether the private keys are being shared with your servers or whether they are only stored locally on my phone.

Even if the private keys are currently never leaving my phone, it would be possible at some point in the future for a rogue developer at Clef to modify the client to have it send its private keys to them, at which point I lose my coins.

I like the convenience of Clef, but it seems to compromise security too much right now to provide that convenience.
newbie
Activity: 4
Merit: 0

I'll repeat my question in case you missed it.

Is Clef really enhancing security, or is it adding a new possible exploit vector? It seems that sites using Clef now have to trust Clef not to compromise their users' accounts (deliberately or otherwise). Is that correct? If so, that seems like it weakens security rather than strengthening it.

Before Clef: I use MtGox. I have to trust MtGox not to steal my coins or get hacked.
After Clef: I use MtGox and Clef. I have to trust both MtGox AND Clef not to steal my coins or get hacked.

With Clef, I've doubled the number of institutions who I need to trust.

Or do I have it wrong? I'd be interested in integrating Clef into Just-Dice if it really does strengthen security.


Hey dooglas, using Clef definitely strengthens your overall security!

Instead of using passwords and seeds (which need to be stored centrally and can be stolen), Clef uses public-key crypto to log users in. That means that most hacks against a Clef-protected account are completely impossible (you can see more at getclef.com/security). If Clef is hacked, we only have the public keys and so there’s nothing for an attacker to steal or use against the user. 

You do need to trust Clef for us to provide that protection. In the pre-Clef model, every developer is asked to stay informed about and re-implement best security practices on their own and we know that many developers are making mistakes or falling out of date. At Clef, we’re focused on doing one thing well and we’re much more likely to get it right.

As for whether you can trust that we’re not a malicious company — there are a couple of useful pieces of information:
    * We’re a venture-backed company, so we’ve passed background checks and the company is well documented
    * Our address and the names of our team are all listed on our about page (getclef.com/about)
    * Clef has been around for more than 2 years and protects nearly 50,000 sites

Early on, we experimented with sharing public keys with sites that implemented Clef so that they could verify signatures (so they could trust us even less). We found that most sites preferred a simpler integration and that the sites that did the extra work frequently messed up some of the crypto because they didn’t understand it. That lowered the security and the usability of the system, so we stopped sharing them, but it’s something we still think about. I’d be happy to hear your thoughts about this.



tl;dr - to use Clef, you have to trust us, but public key auth is much harder to hack, so the overall security is way stronger
member
Activity: 101
Merit: 10
I think the OP needs to outline the business model of Clef. How do you guys pay for all the servers and bandwidth? How do you guys pay for the technical and support staff?

https://getclef.com/pricing/

I am familiar with this.

Free tier does not offer premium features but has no user or request cap. It is offered free for the basic usage, simply because the cost for requests is relatively small, (bandwidth/upkeep) Larger clients that need the extra assistance, support, and metrics, potential white glove service/customization and training can pay for this service.

I believe the business model is to allow companies to get on board, setup and use it easily and when they scale big enough that they may need additional resources from the company they can engage, and if not, they function as a brand ambassador.
legendary
Activity: 2940
Merit: 1333

I'll repeat my question in case you missed it.

Is Clef really enhancing security, or is it adding a new possible exploit vector? It seems that sites using Clef now have to trust Clef not to compromise their users' accounts (deliberately or otherwise). Is that correct? If so, that seems like it weakens security rather than strengthening it.

Before Clef: I use MtGox. I have to trust MtGox not to steal my coins or get hacked.
After Clef: I use MtGox and Clef. I have to trust both MtGox AND Clef not to steal my coins or get hacked.

With Clef, I've doubled the number of institutions who I need to trust.

Or do I have it wrong? I'd be interested in integrating Clef into Just-Dice if it really does strengthen security.
newbie
Activity: 54
Merit: 0
We are featured on L’Atelier & BraveNewCoin!

L’Atelier BNP Paribas - March 19, 2015
Clef Improves Two-Factor Online Authentication

BraveNewCoin - March 20, 2015
Clef: Enhancing Security In The Bitcoin World
legendary
Activity: 2940
Merit: 1333
As we move more of our personal information into the cloud, we need security we can actually use.

I had a quick look at this.

I'm worried that if I use it, I am effectively giving the people at clef access to all my user accounts.

Is that the case? Does integrating clef compromise user security? Do we have to trust the people at clef?

I know with google authenticator I don't have to trust Google at all. I don't even have to install their app. The algorithm is public, and runs offline. Clef seems different - it's an online solution, and appears to rely on centralised servers.
legendary
Activity: 927
Merit: 1000
Been using it for awhile... love it...keep up the good shit clef  Grin

right? Super useful app. Good stuff Clef!  Cool
sr. member
Activity: 462
Merit: 500
Been using it for awhile... love it...keep up the good shit clef  Grin
legendary
Activity: 927
Merit: 1000
Any big sites coming up?

It would be cool to widespread Clef not only to Bitcoin related websites and wallets, but also to more general, mainstream sites, like social media. And if you guys get mainstream sites, you'll get all the other easily.

3rd party integration doesn't cut it...

Clef is being used by over 40,000 websites around the world, we continue to expand on a day to day basis.
We will also make sure to announce any big "mainstream" sites on here in the future as well as any Bitcoin related partners.

Thank you for the support, it's nice for the Clef team to feel the community loves our product.  Smiley Wink Cheesy


Nice stats Clef! And thanks for the updates, it's nice to know how merchant adoption is coming along. Keep us updated  Grin
newbie
Activity: 54
Merit: 0
Any big sites coming up?

It would be cool to widespread Clef not only to Bitcoin related websites and wallets, but also to more general, mainstream sites, like social media. And if you guys get mainstream sites, you'll get all the other easily.

3rd party integration doesn't cut it...

Clef is being used by over 40,000 websites around the world, we continue to expand on a day to day basis.
We will also make sure to announce any big "mainstream" sites on here in the future as well as any Bitcoin related partners.

Thank you for the support, it's nice for the Clef team to feel the community loves our product.  Smiley Wink Cheesy
legendary
Activity: 1512
Merit: 1012
Any big sites coming up?

It would be cool to widespread Clef not only to Bitcoin related websites and wallets, but also to more general, mainstream sites, like social media. And if you guys get mainstream sites, you'll get all the other easily.

3rd party integration doesn't cut it...
legendary
Activity: 927
Merit: 1000
It's about time we had a security app like Clef! Simple & easy Tongue
And I really hope that most of the businesses on the crypto ecosystem can integrate this new 2FA system.
I'm tired of having to manage a bunch of passwords and all the dull time wasting with it!
With Clef, I will be able to secure all my accounts without having to worry about remembering lots of passwords and living in a constant fear of losing access to my accounts or being hacked. Simplicity is the way to go and Clef will turn my work a lot easier.
This application really stands for innovation and simplicity and in my opinion Google Auth and other centralized options will be completely overtaken by this technology. Decentralized applications are the future and Clef seems to be taking the lead...
unfortunately, my phone is an android, so I won't be able to use the touch id feature Sad

I just wish they come up with a similar feature for android users...

Anyway... I already downloaded and installed the app on my mobile and I really love it!

I think it would be huge to see exchanges starting to use Clef. It only takes a minute to send in a request to your favorite exchanges. If we all did this it wouldn't be long until some of them take a real good look at what this project offers.
legendary
Activity: 1596
Merit: 1027
It's about time we had a security app like Clef! Simple & easy Tongue
And I really hope that most of the businesses on the crypto ecosystem can integrate this new 2FA system.
I'm tired of having to manage a bunch of passwords and all the dull time wasting with it!
With Clef, I will be able to secure all my accounts without having to worry about remembering lots of passwords and living in a constant fear of losing access to my accounts or being hacked. Simplicity is the way to go and Clef will turn my work a lot easier.
This application really stands for innovation and simplicity and in my opinion Google Auth and other centralized options will be completely overtaken by this technology. Decentralized applications are the future and Clef seems to be taking the lead...
unfortunately, my phone is an android, so I won't be able to use the touch id feature Sad

I just wish they come up with a similar feature for android users...

Anyway... I already downloaded and installed the app on my mobile and I really love it!
newbie
Activity: 54
Merit: 0
Bitspark will be integrating Clef into our exchange and upcoming merchant products in the next 3 weeks.  Grin

We are pleased to work with you guys! Keep us posted when it goes live!  Smiley
newbie
Activity: 54
Merit: 0
After I saw this thread I downloaded the Clef app and checked it out. First of all I didn't know about Clef before seeing it here.
So I gave it a go and maaan what a nicer way to login to websites! I've been using Google Authenticator for many services and it is fiddly.

I wish all crypto exchanges would switch to Clef, way easier!

Hope you guys succeed in getting on more exchanges! Do you have a list of available ones so far?

Saw the note in the OP post, work is in progress... Keep us posted!

So far we are onboard with:


We are liaising with others in the space, more updates to come soon.  Smiley
legendary
Activity: 1722
Merit: 1000
After I saw this thread I downloaded the Clef app and checked it out. First of all I didn't know about Clef before seeing it here.
So I gave it a go and maaan what a nicer way to login to websites! I've been using Google Authenticator for many services and it is fiddly.

I wish all crypto exchanges would switch to Clef, way easier!

Hope you guys succeed in getting on more exchanges! Do you have a list of available ones so far?

Saw the note in the OP post, work is in progress... Keep us posted!
member
Activity: 124
Merit: 10
Bitspark will be integrating Clef into our exchange and upcoming merchant products in the next 3 weeks.  Grin
legendary
Activity: 2044
Merit: 1005
I'm thinking about integrating Clef with a bitcoin exchance i'm going to launch.
Exchanges are a thing of the past.. Only scammers do them noone will trsut you

are you serious? you're saying auctions are better then, as you are promoting an auction in your signature and yet bashing exchanges. This is unrelated to the thread topic anyways.

It's going to be a DAC... using UIA from the bitshares DEX... as of right now its being developed by myself.

I would like to use Clef, if we can somehow integrate it with bitshares login https://github.com/sidhujag/bitshares-prestashop-login
newbie
Activity: 54
Merit: 0
I'm thinking about integrating Clef with a bitcoin exchance i'm going to launch.

Will PM you
Pages:
Jump to: