
Clef – stop using passwords - charlieirish
https://getclef.com/
======
thatthatis
So for this to work, the website has to be on board, the user has to be on
board, the user has to have their phone present, the user's phone has to be in
working order (camera working, network working), the clef server has to be
running correctly, and the software has to be working correctly on [the user's
phone, the website's frontend, the website's backend, and the Clef servers].

Current process: click login box, type, tab, type, enter. With clef: click
cleff box, find phone, unlock phone, launch clef app, hold in front of screen,
wait.

All of this to create an "advantage" of not having to remember a password at
the cost of probably 15-30 seconds longer login time and a login process with
more brittleness, as many steps, and more complicated steps.

Is there a big advantage I'm missing, because right now this looks worse in
almost every way and dubiously better in only one.

I say dubious because I wouldn't trust the system to work, so id still
memorize backup passwords. But some people have higher trust and thus would
get the benefit.

The animation is cool though.

~~~
AndrewKemendo
This is wrong though because unless you have the same password for everything
(you shouldn't) the process isn't the single serving:

 _click login box, type, tab, type, enter_

It is moreso:

 _click login box, type one of passwords 1-10, tab, type, enter_

Which assumes you remember each one. It's an even better use case scenario if
you are the guy with only one password for everything.

~~~
chadcf
I would think something like lastpass is an even better workflow however.

1\. click login button 2\. there is no step 2

~~~
fsckin
+1 for LastPass. Saves a bunch of time. They're pretty damn persistent about
doing security the right way -- they don't have the key to open your data.

~~~
azinman2
Except that's a bandaid over existing solutions. It's hard to imagine in 50
years we'll still require people to remember both a user identifier plus a
password.

It's a tough problem. Human memories are fallible, yet it's with you always.
Passwords can be given to others, which can be convenient in many situations
(something bio recognition can't do). Bio markers like fingerprints are left
everywhere as CCC has demonstrated, or the markers themselves can change such
as with Macular degeneration in eyes. Phones can be stolen or run out of
battery, physical key cards lost, and centralized systems like RSA's SecurID
hacked.

In a lot of ways the banks have it done best, with combining a replaceable
physical object (loanable) with a short PIN (sharable and more memorable), and
then throwing fraud detection on top of it. It's the last piece that's the
best and also the least available for others to do easily.

The problem would be better addressed by having a turn-key solution that any
company can easily plug into their code to detect fraud attempts on short
passwords. Big hole waiting for a startup to fill...

------
Zikes
They keep saying this is 2-factor authentication, but without the first factor
(something you know e.g. a password) and going straight to the second factor
(something you have e.g. your smartphone) they actually only provide a single
factor for authentication.

This is of course less secure than true 2-factor authentication, and the web
site is misleading in its wording.

~~~
michaelmior
I asked this exact question to the team on Twitter a few days ago when I first
heard about this. Their response[1] was that you need a PIN to unlock the app.

[1]
[https://twitter.com/getclef/status/431095300619390976](https://twitter.com/getclef/status/431095300619390976)

~~~
Zikes
No matter how well protected the phone or app is, the receiving service still
only gets one factor of authentication.

------
IgorPartola
I am glad that people are exploring this space, but Clef is not the solution,
IMHO.

LastPass currently fulfills similar requirements for me and actually speeds up
logging into the site. Is it perfect? Absolutely not. But the UI works pretty
well.

I'd like to see it improved by starting to support public/private keys. The
idea that I can log into a site using my private key means that when I simply
get one <input type="identity"> and then the browser or a plugin like LastPass
provides the UI to fill it in. This would actually be much faster than
passwords: you see the input, select an identity from a dropdown or
autocomplete you'd like to use, and click "Go".

------
higherpurpose
Seems a little similar to Steve Gibson's SQRL, I think:

[https://www.youtube.com/watch?v=ZrQboo3pA10](https://www.youtube.com/watch?v=ZrQboo3pA10)

[http://sqrl.pl/guide/](http://sqrl.pl/guide/)

[https://www.grc.com/sqrl/sqrl.htm](https://www.grc.com/sqrl/sqrl.htm)

He said in his recent Security Now podcast that he had some breakthroughs in
terms of how SQRL will work, so it will probably change quite a bit from how
it's presented at those two links. He also said his solution is better than
what the FIDO Alliance is trying to achieve, but we'll see when it's ready if
true (it does sound like the FIDO Alliance has created a few adoption problems
for themselves with the licensing and whatnot, though).

~~~
dublinben
This immediately struck me as a ripoff of SQRL. I don't think there are any
meaningful improvements in the linked solution.

~~~
gcommer
Actually, Clef was already developed and launched before SQRL was even
announced. SQRL does, however, have many benefits over Clef, though the
typical user interaction is similar.

------
cell303
Sorry for the deliberately stupid question but: What if I need to login
somewhere on my phone?

~~~
gcommer
The image that you're supposed to scan will also be a link with some custom
procol (like clef://...), which then gets handled by the Clef app.

------
ngpio
I'm glad there's movement in this space. It's desperately needed. Password
managers are great but difficult to extend to all use-cases. When a generated
password cannot be easily copy-pasted, the whole system feels unwieldy.

But Clef doesn't seem to solve anything in that respect. It solves some of the
same problems that password managers do but with extra environmental
requirements.

I can see the Clef mechanism being useful for 2-factor authentification. But
I'm unenthused with (and wary of) its current instantiation as a login
skeleton key. If I were Clef, I'd set my sights lower and rebrand as a drop-in
2-factor auth system to be _optionally_ enabled by users.

> Clef puts military grade cryptography in the hands of every user

This kind of line is deceptive for 99% of end-users and turns off the 1% who
might be helpful as developers.

~~~
serverascode
Where do they say military grade? That's always a bit of a red flag for me.

~~~
jessepollak
This is actually something we thought we removed everywhere. I just grep'd our
repo, found one lingering instance, and committed it out (will deploy when the
traffic goes down). We understand it's deceptive and recognize the need to
communicate to our users why Clef is more secure than usernames and passwords
in a straightforward way.

------
braum
OMG this will make moving around the internet and logging into 100's of sites
so much easier and faster... oh wait. find app, click app, wait for app to
launch, scan screen..., scan screen again...,(damn it!) scan screen again
holding further back and making sure it has focus, got it!. whew. that was so
cool and easy. I'm so glad my Wordpress admin page has this level of security
because what I say is THAT important.

~~~
azinman2
Hardware integration is needed for this and mobile payments to be less
frustrating and fast. Apple/Google/Samsung are the ones in control.

------
jimktrains2
Why not just have browser support for SRP as a standard type of form request
or TLS-SRP? It's fairly well known crypto and doesn't require a 3rd party
service to be active or access to a smart phone with an active network
connection.

~~~
ianburrell
SRP doesn't solve the problem with having to remember (or store) good unique
passwords for each site. It does help with the authenticating password over
insecure connection but SSL solves that for most sites. It doesn't solve the
problem of securely storing passwords; the value that is stored can be brute
forced to get password and is equivalent to cleartext password for any SRP
using site.

~~~
jimktrains2
> It does help with the authenticating password over insecure connection

I'm not sure you understand what SRP is; it's built to be used over insecure
connections.

> It doesn't solve the problem of securely storing passwords; the value that
> is stored can be brute forced to get password and is equivalent to cleartext
> password for any SRP using site.

I don't think you understand what SRP is; if you could do this, then public
key crypto has a much larger problem then passwords and you should be worried
about TLS as well.

------
eatcookies
Would be better if you cut out the centralised authority, take a look at SQRL
[https://www.grc.com/sqrl/sqrl.htm](https://www.grc.com/sqrl/sqrl.htm)

------
homakov
What about MITM, if I show image of client 1 on client 2?

~~~
gcommer
I don't know if clef does this, but for SQRL (similar, but uses QR codes, is
open source, and doesn't rely on a 3rd party), it relies on the fact that the
website URL will be embedded in the QR code (along with a signature) and that
the app will show that URL to the user for them to confirm.

This isn't strictly stronger than standard password MITM (phishing), because
unattentive uesrs could still just click through without checking the URL or
the https status. IMO it is still an improvement because it makes that step
explicit, and gives us a chance to put some nicer UI and programmatic checks
around it (warning about weird unicode tricks, high similarity to previously
used domain names, ...).

Also, both Clef and SQRL use public-private key authentication, so if a bad
guy does successfully MITM someone, they only get one session to do bad stuff
as opposed to knowing the password and being able to re-authenticate wherever.
Obviously this is pretty poor security (it only takes one login to empty
someone's bank account...) but for some applications it might be significant -
notably for websites require you to re-authenticate to take destructive
action.

------
sidmitra
So one use case, where any phone based solutions are a bit off is: when you're
travelling.

1\. Phone in roaming and no network

2\. Battery dying out.

It locks you out of using a bunch of services.

I had a really bad time when my flight to NYC got redirected to Tashkent and
was stuck for 2 days. I couldn't logon to any services. My phone wasn't
working, so i did not receive sms notifications i had setup. GMail(and FB and
a bunch of others) all thought my account was being hacked and wanted me to
verify via my phone or email. So i was stuck in a foreign country, with phone
roaming not working, and no way to contact and let people know that where i
was.

So i've definitely stopped using any SMS phone verification, i'm still
hesitant to use Google Authenticator(although i've shifted most of the
accounts to it), because my battery tends to die at odd times while traveling.

~~~
alyandon
Doesn't Google Authenticator provide you with a list of one-time use codes you
can print out and carry with you for just those types of situations?

~~~
dublinben
Google does, when setting up 2FA. That's independent of using the app for
other services.

~~~
alyandon
Ah, it's unfortunate Google doesn't authenticator as an open service then.

------
abc123xyz
Trusting a mobile app with my passwords? Sure I may as well email all the
passwords to the NSA instead

------
aaroneous
It's good to see advancement on the ux side of 2fa. Many of the other players
in this space provide such a cognitive burden that scares average users back
to passwords. I'm excited to see where this one goes.

------
cauliturtle
I am so scared moving all my "right" to my phone. If my phone is stolen, that
guy can browser my visiting sites history, and then try to use clef to login,
payment...

------
johnsocs
You could still say this is 2-factor, I know my phone PIN, and I have my
phone. It's interesting, yet not for me.

I'd rather keep with the SMS PIN's as part of my two-factor auth, no third
party app required, no lost private keys.

Most people who jump on the 2-factor band-wagon care more about security then
speedy access. They are willing to carry an extra device ( smartphone, smart
card, USB key, etc... )

------
cliveowen
Anything that requires the user to pull out the smartphone and launch an app
to authenticate is bound to fail. There's no way around it.

~~~
staffordrj
> There's no way around it.

That's the idea.

------
normloman
Drat, he's using clef! Oh well. Hit him over the head with a cro-bar and take
his phone.

~~~
negamax
That's really cynical. This is as good as saying, put someone under sedatives
to get them to reveal their password.

~~~
dvanduzer
Security professionals have always distinguished three major potential factors
for authentication:

\- something you know

\- something you have

\- something you are (e.g. fingerprint / retina scans)

Part of the reason passwords have stuck around so long is that accurate and
convenient enough biomarker device have been prohibitively expensive, and
physical artifacts can be lost or stolen.

You can't put someone under sedatives to get them to reveal their password. To
attack a password* you must coerce or trick a human brain into revealing it.

*Assuming various diceware-style caveats. Also, writing the password down and putting it anywhere other than a safety deposit box puts it back in the "something you have" category.

------
facorreia
Interesting, but I couldn't find the answers to some questions on the site:

1\. How much does it cost for the website / web application owner? 2\. How
much does it cost for the end user? 3\. If nothing for either, how does Clef
make money out of this?

~~~
hundchenkatze
For 1. Go here:
[https://getclef.com/developer/](https://getclef.com/developer/) it's in the
middle of the page "Completely Free"

For 2. The App was free and I was able to use it free.

For 3. No idea :)

------
1morewebdev
Wasn't there news recently about popular games picking up stuff from the phone
that they are not supposed to?

If I keep my passwords / certs on my phone, anything that hacks my phone gets
access to those, no?

------
ricards
Very similar app only with QR codes -
[http://capturein.com/](http://capturein.com/)

------
smsm42
Do I understand correctly that this is just plain old client certificates with
nice wavy picture on top of it?

------
LanceH
How do you log in from the web page on your phone?

------
mcmillion
Yeah, I'll just type my password, thanks.

------
supermatou
So, basically, I should replace something that exists inside my head, in an
immaterial form, with something physical that can be easily stolen?!

