"Amateurs hack systems, professionals hack people." Bruce Schneier, Social Engineering: People Hacking
"Through 20 years of effort, we've successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess." XKCD
"The password is officially dead...they just don't meet the challenge for anything you really want to secure." Bill Gates, speaking at RSA Conference, November 2004
"The age of the password has come to an end; we just haven’t realized it yet. Passwords are as old as civilization. And for as long as they’ve existed, people have been breaking them." Mat Honan SF Bureau Chief, Buzzfeed in WIRED Magazine
"Passwords and simple bearer tokens, such as cookies, are no longer sufficient to keep users safe." Eric Grosse, VP of Security Engineering at Google, IEEE, January 2013
"Passwords are a disaster from a security perspective." Jeremy Grant, Head of NSTIC (the US Dept. of Commerce National Strategy for Trusted Identities in Cyberspace)

A history of passwords

The username/password protocol has been around since almost the dawn of computing. Created out organizational necessity, it has been one of the formative and most universally recognizable features of the web. Over time, the way we use the internet has radically changed and now, what seemed convenient to our grandparents, seems like a hassle to us today. The time has come for an internet evolution.

Passwords: A broken system

Every time you type a password, there's an opportunity for it to be intercepted. Attackers steal whole databases of passwords and other customer information. When using passwords for security, there's nothing you can do to protect yourself from these kinds of attacks. Clef is built on the same cryptography that software engineers have used for over 25 years. Clef protects you from all types of password attacks.

Nearly 75% of people use duplicate passwords, many of which have not been changed in five years or more. 54% of people use five or fewer passwords across their whole online life.
76% of network intrusions were carried out by compromised user accounts and 89% of breaches had a financial or espionage motive.
Security experts advise creating a password that is unique, complex, alphanumeric and not a real word but 40% of people don't bother with complex passwords at all. Year after year the most popular passwords are still "password" and "12345."
7 out of 10 people don't trust passwords to keep them secure and 8 out of 10 people are worried about their online security. But 86% of people who use a two-factor authentication method say they feel their accounts are more secure.
About 40% of people say they had “a security incident” in the past year, meaning they had an account hacked, password stolen, or were given notice that their personal information had been compromised.
37% of users have to request a password reset at least once a month costing business millions in user churn and support costs.

Information extracted from a survey by TeleSign, and the Data Breach Investigations Report by Verizon.

Callout  alex

Developers love Clef too

If you're a developer, you can get started integrating Clef to your site today with one of our plugins, sample apps, or integration guides.

Clef crushes passwords

Whathappens  300

300 characters

Instead of a password that you remember, when you log in with Clef, a 300 character signature is generated from a digital key stored on your phone. This key is transmitted to the site you're logging into and confirms your identity.

Whathappens  unique

Temporary signature

This unique signature exists for about 30 seconds each time you log in. Not only is the signature virtually impossible to guess, even with electronic means, but it would need to be guessed in under 30 seconds for a hack to be successful.

Whathappens  database

No database

Since the signature is temporary it has no reason to be stored, so Clef does not require a database of personal identifying information. This eliminates the chance of a database breach. Clef never transmits or stores any login credentials.

How two-factor authentication works

Not all two-factor authentication is the same. The way in which a system is implemented can have a big impact on the security and usability of the end product. Various authentication factors that could be applied to a two-factor authentication protocol.

Security  factor  knowledge


A shared secret known to the user, such as a username, password, or PIN.

Security  factor  posession


A physical object with a secret token, such as a USB stick, or mobile device.

Security  factor  inherence


A physical characteristic of the user, such as a fingerprint or iris pattern.

Clef architecture

There are numerous combinations of the types of authentication factors represented by different products on the market. Different companies use the different factors in unique combinations. With Clef, we've built a public key infrastructure that relies on “Possession” as the primary factor (your phone) and leverages “Inherence” (TouchID) and “Knowledge” (PIN number) methods as the secondary factors.

Clef is the most secure

Clef is built on RSA public key cryptography, which protects against many more attacks than tokens or SMS.

Clef is versatile

Clef stops attacks that other two-factor methods can't protect against and prevents people from making mistakes that could leave them at risk.

Clef is intelligent

Clef removes the vulnerability inherent in human memory by replacing codes and passwords with cryptography. Clef hides complexity with a simple UI.

Clef protects against the most attacks

There are numerous combinations of the types of authentication factors represented by different products on the market. Different companies use the different factors in unique combinations. Clef is designed to protect against more attacks than SMS or token based products.




Clef uses public key cryptography to protect logins. This means that no valuable credentials need to be stored by Clef or any website, and that each login signature is unique to the time and location, so it can’t be stolen or reused.

  • Security  bruteforce  icon

    Brute Force

  • Security  bucketbrigade  icon

    Bucket Brigade

  • Security  keylogging  icon


  • Security  serverbreach  icon

    Server Breach

  • Security  phishing  icon




Tokens (OTP)

Token two-factor authentication, like Authy and Google Authenticator, uses a “seed” which is synchronized between the website and your phone. These seeds can still be stolen, and login codes aren’t specific to a certain location, so they can be stolen en route.

  • Security  bruteforce  icon

    Brute Force

  • Security  keylogging  icon




Text messages (SMS)

Text messages use a seed that is only stored by the website, and the login code needs to be sent to your phone in a text message. They are the easiest to intercept, and also aren’t specific, so they can be stolen en route.

  • Security  bruteforce  icon

    Brute Force

Security  bruteforce

Brute Force

In a brute-force attack an individual or a large botnet of infected machines try to guess millions of credential combinations to gain access to user accounts. Brute-forcing is the oldest attack vector.

  • Every login form can be brute-forced.
  • Two-factor authentication helps with constant change.
  • Two-factor authentication does not protect passwords.
  • Clef signatures cannot be brute-forced.
Security  bucketbrigade

Bucket Brigade (Man in the Middle)

In a bucket brigade attack, an attacker intercepts communications between the user and the site where they’re logging in.

  • Attackers steal secrets in transit.
  • Two-factor codes can be intercepted.
  • Clef signatures are tied to a specific computer.
  • Clef is not vulnerable to a bucket brigade attack.
Security  keylogging


In a keylogging attack, an attacker installs malware on a computer that tracks what a user types in order to steal passwords or other sensitive information.

  • Keyloggers steal passwords.
  • Two-factor codes are one-time use.
  • Clef is typing-free so it's always secure.
Security  serverbreach

Server Breach

In order to validate a password, sites store a copy of it on their servers. In a server breach, an attacker gets access to the stored copy of those credentials and compromise a large number of accounts.

  • Stored passwords are symetrical and vulnerable.
  • Two-factor authentication systems are also symmetrical.
  • Clef is asymmetrical. There is no password database to access.
Security  phishing


A hacker attempts to acquire sensitive information such as usernames, passwords, and credit card details, for malicious reasons, by masquerading as a trustworthy entity in an electronic communication.

  • Phishing targets weaknesses and lapses in human nature.
  • Phishers exploit domain name resolution redirecting to phishing sites.
  • Clef is passwordless which removes the access point to data.
  • Clef identifies your location with confirmation redirection.
Your browser is out-of-date!

Update your browser to view this website correctly. Update my browser now