Just asking here as is the most hacked community on the web I expect!
Not an ad I promise! Just wonder if anyone done any research on them?
https://getclef.com/Really nice way to secure a site (and looks pretty!). To login to site need smartphone/app and 4 digit pin (same for all sites).
App on phone locks you out after a few wrong guesses for a period of time (not sure how long - still waiting!!).
Obvious route in is the "lost phone" web page. You then need to be able to intercept the users email and know their 4 digit pin.
I assume clef have some way to prevent brute forcing the pin, and since you only ever normally use the pin to unlock app on your phone seems reasonable secure as pin never leaves your phone normally.
Also they refuse to reset pins. All you can do is delete account if you can access your email. This seems a bit of a weakness to me - as any attacker with access to you email can lock you out of all your accounts! But that is normally a smaller problem than them having access to them all.
