"Amateurs hack systems, professionals hack people." Bruce Schneier, Social Engineering: People Hacking
"Through 20 years of effort, we've successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess." XKCD
"The password is officially dead...they just don't meet the challenge for anything you really want to secure." Bill Gates, speaking at RSA Conference, November 2004
"The age of the password has come to an end; we just haven’t realized it yet. Passwords are as old as civilization. And for as long as they’ve existed, people have been breaking them." Mat Honan SF Bureau Chief, Buzzfeed in WIRED Magazine
"Passwords and simple bearer tokens, such as cookies, are no longer sufficient to keep users safe." Eric Grosse, VP of Security Engineering at Google, IEEE, January 2013
"Passwords are a disaster from a security perspective." Jeremy Grant, Head of NSTIC (the US Dept. of Commerce National Strategy for Trusted Identities in Cyberspace)
Developers love Clef too
If you're a developer, you can get started integrating Clef to your site today with one of our plugins, sample apps, or integration guides.
Instead of a password that you remember, when you log in with Clef, a 300 character signature is generated from a digital key stored on your phone. This key is transmitted to the site you're logging into and confirms your identity.
This unique signature exists for about 30 seconds each time you log in. Not only is the signature virtually impossible to guess, even with electronic means, but it would need to be guessed in under 30 seconds for a hack to be successful.
Since the signature is temporary it has no reason to be stored, so Clef does not require a database of personal identifying information. This eliminates the chance of a database breach. Clef never transmits or stores any login credentials.
A shared secret known to the user, such as a username, password, or PIN.
A physical object with a secret token, such as a USB stick, or mobile device.
A physical characteristic of the user, such as a fingerprint or iris pattern.
Clef is the most secure
Clef is built on RSA public key cryptography, which protects against many more attacks than tokens or SMS.
Clef is versatile
Clef stops attacks that other two-factor methods can't protect against and prevents people from making mistakes that could leave them at risk.
Clef is intelligent
Clef removes the vulnerability inherent in human memory by replacing codes and passwords with cryptography. Clef hides complexity with a simple UI.
Clef uses public key cryptography to protect logins. This means that no valuable credentials need to be stored by Clef or any website, and that each login signature is unique to the time and location, so it can’t be stolen or reused.
Token two-factor authentication, like Authy and Google Authenticator, uses a “seed” which is synchronized between the website and your phone. These seeds can still be stolen, and login codes aren’t specific to a certain location, so they can be stolen en route.
Text messages (SMS)
Text messages use a seed that is only stored by the website, and the login code needs to be sent to your phone in a text message. They are the easiest to intercept, and also aren’t specific, so they can be stolen en route.
In a brute-force attack an individual or a large botnet of infected machines try to guess millions of credential combinations to gain access to user accounts. Brute-forcing is the oldest attack vector.
- Every login form can be brute-forced.
- Two-factor authentication helps with constant change.
- Two-factor authentication does not protect passwords.
- Clef signatures cannot be brute-forced.
Bucket Brigade (Man in the Middle)
In a bucket brigade attack, an attacker intercepts communications between the user and the site where they’re logging in.
- Attackers steal secrets in transit.
- Two-factor codes can be intercepted.
- Clef signatures are tied to a specific computer.
- Clef is not vulnerable to a bucket brigade attack.
In a keylogging attack, an attacker installs malware on a computer that tracks what a user types in order to steal passwords or other sensitive information.
- Keyloggers steal passwords.
- Two-factor codes are one-time use.
- Clef is typing-free so it's always secure.
In order to validate a password, sites store a copy of it on their servers. In a server breach, an attacker gets access to the stored copy of those credentials and compromise a large number of accounts.
- Stored passwords are symetrical and vulnerable.
- Two-factor authentication systems are also symmetrical.
- Clef is asymmetrical. There is no password database to access.
A hacker attempts to acquire sensitive information such as usernames, passwords, and credit card details, for malicious reasons, by masquerading as a trustworthy entity in an electronic communication.
- Phishing targets weaknesses and lapses in human nature.
- Phishers exploit domain name resolution redirecting to phishing sites.
- Clef is passwordless which removes the access point to data.
- Clef identifies your location with confirmation redirection.