

CaptureIn - passwordless authentication  - tomaac
http://www.capturein.com/

======
nly
Except for the 'revocation code' briefly mentioned on their FAQ page[0], this
is likely just the same authentication scheme offered by Clef[1], with all the
same inherent weaknesses.

The biggest weakness in these schemes is the inherent potential for a MITM to
display the QR or bar code (I still don't think Clef actually displays what
site you're logging in to on your phone, and even if they do it's vulnerable
to visually similar URLs). The bottom line is the lack of authentication
between the phone and the browser.

The on-device encryption is also useless because the key is such a short PIN.

[0] [http://www.capturein.com/FAQ.html](http://www.capturein.com/FAQ.html) [1]
[https://getclef.com/](https://getclef.com/)

