[ANN] Clef is secure two-factor authentication with no passwords or tokens

[dooglus]

As we move more of our personal information into the cloud, we need security we can actually use.

I had a quick look at this.

I'm worried that if I use it, I am effectively giving the people at clef access to all my user accounts.

Is that the case? Does integrating clef compromise user security? Do we have to trust the people at clef?

I know with google authenticator I don't have to trust Google at all. I don't even have to install their app. The algorithm is public, and runs offline. Clef seems different - it's an online solution, and appears to rely on centralised servers.

[Clef]

We are featured on L’Atelier & BraveNewCoin!

L’Atelier BNP Paribas - March 19, 2015
Clef Improves Two-Factor Online Authentication

BraveNewCoin - March 20, 2015
Clef: Enhancing Security In The Bitcoin World

[dooglus]

BraveNewCoin - March 20, 2015
Clef: Enhancing Security In The Bitcoin World

I'll repeat my question in case you missed it.

Is Clef really enhancing security, or is it adding a new possible exploit vector? It seems that sites using Clef now have to trust Clef not to compromise their users' accounts (deliberately or otherwise). Is that correct? If so, that seems like it weakens security rather than strengthening it.

Before Clef: I use MtGox. I have to trust MtGox not to steal my coins or get hacked.
After Clef: I use MtGox and Clef. I have to trust both MtGox AND Clef not to steal my coins or get hacked.

With Clef, I've doubled the number of institutions who I need to trust.

Or do I have it wrong? I'd be interested in integrating Clef into Just-Dice if it really does strengthen security.

[CreationLayer]

I think the OP needs to outline the business model of Clef. How do you guys pay for all the servers and bandwidth? How do you guys pay for the technical and support staff?

https://getclef.com/pricing/

I am familiar with this.

Free tier does not offer premium features but has no user or request cap. It is offered free for the basic usage, simply because the cost for requests is relatively small, (bandwidth/upkeep) Larger clients that need the extra assistance, support, and metrics, potential white glove service/customization and training can pay for this service.

I believe the business model is to allow companies to get on board, setup and use it easily and when they scale big enough that they may need additional resources from the company they can engage, and if not, they function as a brand ambassador.

[brennen]

BraveNewCoin - March 20, 2015
Clef: Enhancing Security In The Bitcoin World

I'll repeat my question in case you missed it.

Is Clef really enhancing security, or is it adding a new possible exploit vector? It seems that sites using Clef now have to trust Clef not to compromise their users' accounts (deliberately or otherwise). Is that correct? If so, that seems like it weakens security rather than strengthening it.

Before Clef: I use MtGox. I have to trust MtGox not to steal my coins or get hacked.
After Clef: I use MtGox and Clef. I have to trust both MtGox AND Clef not to steal my coins or get hacked.

With Clef, I've doubled the number of institutions who I need to trust.

Or do I have it wrong? I'd be interested in integrating Clef into Just-Dice if it really does strengthen security.

Hey dooglas, using Clef definitely strengthens your overall security!

Instead of using passwords and seeds (which need to be stored centrally and can be stolen), Clef uses public-key crypto to log users in. That means that most hacks against a Clef-protected account are completely impossible (you can see more at getclef.com/security). If Clef is hacked, we only have the public keys and so there’s nothing for an attacker to steal or use against the user. 

You do need to trust Clef for us to provide that protection. In the pre-Clef model, every developer is asked to stay informed about and re-implement best security practices on their own and we know that many developers are making mistakes or falling out of date. At Clef, we’re focused on doing one thing well and we’re much more likely to get it right.

As for whether you can trust that we’re not a malicious company — there are a couple of useful pieces of information:
    * We’re a venture-backed company, so we’ve passed background checks and the company is well documented
    * Our address and the names of our team are all listed on our about page (getclef.com/about)
    * Clef has been around for more than 2 years and protects nearly 50,000 sites

Early on, we experimented with sharing public keys with sites that implemented Clef so that they could verify signatures (so they could trust us even less). We found that most sites preferred a simpler integration and that the sites that did the extra work frequently messed up some of the crypto because they didn’t understand it. That lowered the security and the usability of the system, so we stopped sharing them, but it’s something we still think about. I’d be happy to hear your thoughts about this.



tl;dr - to use Clef, you have to trust us, but public key auth is much harder to hack, so the overall security is way stronger

[dooglus]

tl;dr - to use Clef, you have to trust us, but public key auth is much harder to hack, so the overall security is way stronger

Do you offer a bare-bones open source client? I currently have no way of telling whether the private keys are being shared with your servers or whether they are only stored locally on my phone.

Even if the private keys are currently never leaving my phone, it would be possible at some point in the future for a rogue developer at Clef to modify the client to have it send its private keys to them, at which point I lose my coins.

I like the convenience of Clef, but it seems to compromise security too much right now to provide that convenience.

[coinking]

tl;dr - to use Clef, you have to trust us, but public key auth is much harder to hack, so the overall security is way stronger

Do you offer a bare-bones open source client? I currently have no way of telling whether the private keys are being shared with your servers or whether they are only stored locally on my phone.

I'd be interested in knowing this too

[dooglus]

tl;dr - to use Clef, you have to trust us, but public key auth is much harder to hack, so the overall security is way stronger

Do you offer a bare-bones open source client? I currently have no way of telling whether the private keys are being shared with your servers or whether they are only stored locally on my phone.

I'd be interested in knowing this too

I also don't see any options to back up my private keys.

What happens if I lose my phone?

[brennen]

tl;dr - to use Clef, you have to trust us, but public key auth is much harder to hack, so the overall security is way stronger

Do you offer a bare-bones open source client? I currently have no way of telling whether the private keys are being shared with your servers or whether they are only stored locally on my phone.

I'd be interested in knowing this too

I also don't see any options to back up my private keys.

What happens if I lose my phone?

Thanks for the questions! These are both really interesting things that we think a lot about.

We don't have a bare-bones open source client, but we are working on open sourcing all of Clef. While a bare-bones client might be appealing to some really technical users, it could lead to some really confusing (and malicious) options for non-technical users. If there are a plethora of apps that "work" with Clef, how is the average user supposed to know which ones are generating and protecting their keys correctly?

Even open source, we could be compiling something extra into the app, but you can always look at the outgoing traffic from Clef on your phone to see that we're not sending the private keys.

As for lost phones -- right now you can deactivate a phone by confirming an email and the four digit PIN used to set up the Clef account (this is heavily rate-limited and zero PIN attempts can be made until after the email has been confirmed). In the next few months we'll be rolling out some additional layers of proof to give users more options for resetting their account -- this'll include letting users download their private key and disable all other forms of deactivation/reactivation.

[S4VV4S]

What a great project!

@OP can you add the link to your homepage?
You have link to the docs, apps, etc, but not for the actual homepage: https://getclef.com/
Just link it on your logo pic 

[emrebey]

really cool idea and implementation, trying out on one of my websites.

good job.

[dooglus]

We don't have a bare-bones open source client, but we are working on open sourcing all of Clef. While a bare-bones client might be appealing to some really technical users, it could lead to some really confusing (and malicious) options for non-technical users. If there are a plethora of apps that "work" with Clef, how is the average user supposed to know which ones are generating and protecting their keys correctly?

I guess you don't link average users to anything except your polished version. But you make the algorithm public, and such that it can work without using your servers. Like how google-auth works. I don't have to use their app or servers at all to use their authentication protocol, but almost everyone does.

Even open source, we could be compiling something extra into the app, but you can always look at the outgoing traffic from Clef on your phone to see that we're not sending the private keys.

Well, I'd build my own from source to remove that danger.

As for lost phones -- right now you can deactivate a phone by confirming an email and the four digit PIN used to set up the Clef account (this is heavily rate-limited and zero PIN attempts can be made until after the email has been confirmed). In the next few months we'll be rolling out some additional layers of proof to give users more options for resetting their account -- this'll include letting users download their private key and disable all other forms of deactivation/reactivation.

There are two problems with losing your phone:

1) the finder can get into your account
2) the loser can no longer access their account

It's 2) that concerns me. How do I get back into my accounts once I lose the only copy of the required private keys? With google-auth I simply go to the paper backup of the 16 letter secret I made when I set up 2FA.

[coinking]

really cool idea and implementation, trying out on one of my websites.

good job.

I'd be interested to hear how it goes.

[brennen]

There are two problems with losing your phone:

1) the finder can get into your account
2) the loser can no longer access their account

It's 2) that concerns me. How do I get back into my accounts once I lose the only copy of the required private keys? With google-auth I simply go to the paper backup of the 16 letter secret I made when I set up 2FA.

Yeah, the tradeoff for all of this is how much Clef manages vs. how much users manage their own security process. Tools like Google Authenticator give you more control over the technical process, but that's a lot of rope to let users hang themselves with. The result is that most sites see <1% of users opt-in to using two-factor, and even in Bitcoin that number is less than 15%. For the few users who are technical enough, that helps protect their accounts (unless there is a server breach, phishing, or bucket brigade attack).

Clef sees more than 50% of users opt-in because they don't need to manage any of the process. At the site level, that means a whole lot more users are actually safe and we can reduce fraud by a much more significant factor (as well as protect from more common attacks).

For account reactivation, that focus on usability means we never ask users to write down their key (of the few people who use token-based two-factor, less than 1% write down their backup codes). Instead, we set them up with a new key pair once we confirm their identity with the process I described before.

A little while ago, I had a conversation with 5 ex-DOD white hats about Clef's architecture. At the end of my overview, one of them asked "How do you handle nation-state attacks when they're willing to used advanced interrogation to compromise an account." I told him we weren't solving for that yet

There are a lot of ways to make theoretical security gains, but the only security that matters is the security you use. 

[Clef]

What a great project!

@OP can you add the link to your homepage?
You have link to the docs, apps, etc, but not for the actual homepage: https://getclef.com/
Just link it on your logo pic 

It was linked at the bottom on the "GETCLEF.COM" in orange, also in the "get in touch" section it is the first link on the left.
I have now added it to the blue logo on the top as well.

Thanks for pointing that out. 

[coinking]

Looking good Clef - I think this will gain traction in crypto, give it time - good luck!

[Clef]

Looking good Clef - I think this will gain traction in crypto, give it time - good luck!

We thank you for the support coinking. 

[coinking]

Any news or updates to report? Keep it up!

[Clef]

Any news or updates to report? Keep it up!

Make sure you setup clef on your koinify account so your factoids are safe 

[coinking]

Any news or updates to report? Keep it up!

Make sure you setup clef on your koinify account so your factoids are safe 

Great, will do!