
Everykey – The Master Key to Your Phone, Laptop, Website Accounts, and More - taivare
https://everykey.com/
======
pre
From Hitchikers Guide To The Galaxy:

It was an Ident-i-Eeze, and was a very naughty and silly thing for Harl to
have lying around in his wallet, though it was perfectly understandable. There
were so many different ways in which you were required to provide absolute
proof of your identity these days that life could easily become extremely
tiresome just from that factor alone, never mind the deeper existential
problems of trying to function as a coherent consciousness in an
epistemologically ambiguous physical universe. Just look at cash point
machines, for instance. Queues of people standing around waiting to have their
fingerprints read, their retinas scanned, bits of skin scraped from the nape
of the neck and undergoing instant (or nearly instant --- a good six or seven
seconds in tedious reality) genetic analysis, then having to answer trick
questions about members of their family they didn't even remember they had,
and about their recorded preferences for tablecloth colours. And that was just
to get a bit of spare cash for the weekend. If you were trying to raise a loan
for a jetcar, sign a missile treaty or pay an entire restaurant bill things
could get really trying.

Hence the Ident-i-Eeze. This encoded every single piece of information about
you, your body and your life into one all- purpose machine-readable card that
you could then carry around in your wallet, and therefore represented
technology's greatest triumph to date over both itself and plain common sense.

~~~
seletz
This a 100 times.

And thanks for reminding me to read the Hitchhikers Guide again!

------
nugget
I don't see how this is much different from key generation software running on
a phone or any other device. Useful as a 2nd factor for authentication and a
little less friction (more convenient, less secure). I've yet to see any
technology that can replace an old fashioned master password as the 1st
factor. All the hype around biometrics a few years ago seemed especially silly
given that it's pretty easy to steal fingerprints and once stolen, of course,
they are pretty hard to change. Maybe I'm an outlier here but I think in 20
years we'll still be using password managers with master password type in
authentication into a dashboard with varying degrees of additional
authentication required to access sites/services within, based on relative
sensitivity.

~~~
Maarten88
> I've yet to see any technology that can replace an old fashioned master
> password as the 1st factor.

Since a few weeks I'm using the Windows Hello system on my new Surface Pro 4.
Its using facial recognition, and it's pretty awesome: turn on the PC, sit
still for a second, it greets you, logs in and you can work. For two factor
logins I use the Microsoft Account app on Android, which also works very well
(no typing a code, just approve the request on the phone).

Now only if Microsoft would fix the power/sleep issues with Surface 4, it
would be perfect.

~~~
TTPrograms
Have you or anybody else tried to crack it? Ease of use isn't the only part of
good security. Would a picture work? A recorded video on an iPad? etc.

~~~
rorosaurus
Windows Hello uses an IR emitter and camera to get a 3D map to verify in
addition to the ordinary webcam, and I've confirmed that mine doesn't fall
prey to the most obvious of exploits.

Of course, it makes the assumption that "<user>'s face in front of the
computer means <user> wants to log in", which may not always be the case.

That being said, I'm eagerly looking forward to reading about its pitfalls
once people crack it.

~~~
mbreese
I wonder if your face would look different enough in the 3D map while under
duress to stop it from authenticating. Or what about if you're unconscious? It
sounds like it would be real easy to break this security with a $5 wrench.

~~~
girvo
That's the case for a lot of security, though?

------
joshka
So, since the original Kickstarter, FIDO and U2F came about. I can't find
anything that suggests that this has any relation to standards, or more
technical detail rather than marketing. That's worrying.

------
isomorphic
The Everykey device holds a decryption key (or key-equivalent) for your
keychains, and it has over-the-air _upgradeable_ _firmware_? Even if the
firmware is signed, and the upgrade procedure is password-protected, the
feature may expose the device to a variety of different attacks.

(Not to mention hardware attacks, since even if the device has a secure
element, it has to send key material back to the device with the keychain.)

------
volaski
Is this actually really positively available right now? I don't see any link
to kickstarter or a preorder link or a video that says "But now, we need your
help". If so, it's refreshing.

~~~
martey
That's because their Kickstarter (linked from the bottom of the website; [1])
ended in _November 2014_. The original shipping date for customers was March
2015; they now claim that they will ship by March 2016, but they also started
a second crowdfunding campaign on IndieGogo [2].

[1]: [https://www.kickstarter.com/projects/everykey/everykey-
the-w...](https://www.kickstarter.com/projects/everykey/everykey-the-
wristband-that-replaces-keys-and-pass/)

[2]: [https://www.indiegogo.com/projects/everykey-your-only-
key](https://www.indiegogo.com/projects/everykey-your-only-key)

------
Eridrus
One of the more surprising things to me is how few people use password
managers. I know some companies buy 1Password for all their employees and less
than half of their employees use it.

I really don't understand why that is. I've always thought it was partly a
pricing problem (which would be very bad for this $128 gadget), but when
you're company is providing it to you for free, that can't be the reason you
don't use it.

------
rrebelo
I am about to finish a more limited implementation of this idea for Android
Wear smartwatches and Windows. It works by measuring bluetooth signal
intensity (rssi).

I already made a prototype for Mac & generic smartwatches [1], but if you have
a Pebble you'll have to disconnect the watch from the phone. Questions,
criticism & suggestions are welcome.

[1] [https://www.gadgetish.com](https://www.gadgetish.com)

~~~
Eridrus
Using just signal strength as an authenticator is a bit of a shaky idea for
actual security IMO. Car thieves have been using signal amplifiers to break
into cars for a while now.

I think you should have some initial prompt on the watch that asks the user if
it is OK to unlock the device. It's more friction, but otherwise it's
trivially bypassable.

~~~
rrebelo
> Car thieves have been using signal amplifiers

Very true. But I am using Bluetooth and it has much better security protocols
than the plain simple radio-frequency signals for car remote controls. At the
very least, the user needs to first pair the watch with the computer. Besides,
all communication between the 2 is encrypted. And, to avoid Bluetooth
spoofing, there is also an exchange of time-based encrypted tokens, all
transparent for the user. There are a few more security details about it
(e.g.: the authentication password is not stored in the watch, is AES-
encrypted in the computer, etc). I intend to write a detailed risk-assessment
about it later.

In truth, my intention is someday to make it FIDO-UAF [1] compatible, if I
have get the money to do it.

It is very cool to understand what concerns people have about it. Thank you.

[1]
[https://fidoalliance.org/specifications/overview/](https://fidoalliance.org/specifications/overview/)

~~~
Eridrus
I believe that you can safely pair with the watch and authenticate it reliably
and an attacker can neither read nor modify what you send; this is largely a
solved problem.

But I am concerned that you cannot measure proximity accurately because an
attacker could just replay messages between the two devices and boost the
signal without being able to decipher the contents, and none of your comments
about crypto or time-based tokens convince me otherwise.

~~~
rrebelo
> an attacker could just replay messages between the two devices and boost the
> signal without being able to decipher the contents

As a simplified version of a MITM attack? That is clever, I admit I didn't
think of it.

However, even in case the attacker is able to do so, the watch would still
inform the user when the PC is unlocked. And the user can manually force a
lock, from the watch, overriding the proximity/signal strength. To intercept
this the attacker would need to decipher the messages. That is for the Android
Wear-Windows PC version, though. I admit the Mac version is not that
sophisticated, yet.

~~~
icebraining
_And the user can manually force a lock, from the watch, overriding the
proximity /signal strength. To intercept this the attacker would need to
decipher the messages._

Not if the attacker stops the relay right after the PC is unlocked.

~~~
rrebelo
> Not if the attacker stops the relay right after the PC is unlocked.

No, if it happens the program falls back into the "user is away->lock the
computer" mode.

~~~
icebraining
So what happens if my watch shuts down for some reason while I'm using the
computer?

------
mmanfrin
Hah -- in the demo animation, a gmail account comes up for John McAfee, one of
the emails was from someone asking 'How do I uninstall McAfee virus?'.

~~~
brozak
Looks like he's involved in the product: [http://fortune.com/2015/12/29/john-
mcafee-everykey/](http://fortune.com/2015/12/29/john-mcafee-everykey/)

~~~
int_handler
That makes sense now. :)

------
bravo22
Neat idea but how would it protect against a relaying/signal boost attack?

~~~
clinta
Not sure if they are, but it could be done by having the device measure the
round trip time of the signal, and refusing to answer if it's too long.

~~~
bravo22
Most likely not because the turn around time in a challenge and response, and
clock skews between devices is far greater than the range boost.

------
advaits
The security group at the University of Cambridge has been working on a
similar project for a few years now:
[https://mypico.org/](https://mypico.org/)

------
AdmiralAsshat
Took me a sec watching the demo to realize that the person logging in is John
McAfee.

------
_itsok
Page took too long to load

------
smira7
build yourself a honeypot! Today!

------
caleblloyd
Isn't this the same John McAfee who fled Belize in 2012 after some crazy
situation that involved drugs, guns, and a murdered neighbor?

Not exactly the guy I want safeguarding my entire identity.

[https://en.wikipedia.org/wiki/John_McAfee#Legal_issues](https://en.wikipedia.org/wiki/John_McAfee#Legal_issues)

