Everyday it becomes more apparent: our online information is not as safe as we’d like it to be. There have been numerous reports of hackings, password losses, and other security breaches. Internet giants like LinkedIn, Yahoo, and Evernote have reported leaked users’ passwords within the last year alone. Information like credit card data and school records continues to be accessed by hackers, no matter the safeguards in place. In short, however good you think your password to be, you’re probably not as secure as you’d like.
That was at least the thought of three 22-year-old from Southern California.
Today marks the official launch of Clef, a new secure way of logging into websites using just a smartphone and without any reliance on usernames or passwords. The process for logging is quick: all you do is click a link to “Log In With Your Phone,” which then shows a “Clef Wave.” The Wave is similar to a QR code, in that Clef users’ smartphones capture the wave almost identically to how we capture QRs. The capture sends the website’s information to the phone and the smartphone automatically responds with a digital signature, which completes the login process.
This launch comes after a few months of private beta testing, with the hopes that users and sites alike will start adopting its new login model.
The three co-founders are all recent computer science graduates from Pomona College. A year back they noticed how many internet giants were facing major security breaches. Brennen Byrne, Clef’s CEO, took notice of the LinkedIn debacle while working with a professor on security research. He took research and knowledge and grafted it onto his work with Clef.
Clef eliminates the need for user names and million unique passwords by utilizing a login process that implements military grade cryptography. According to its founders, that makes it pretty secure. Apparently companies have been taking note. As of now more than 250 websites have begun to implement Clef, including Hootsuite, LiveJournal, and WordPress.
Another safeguard Clef touts is its distributed architecture. All of the secure information that is sent and received is never stored on any of Clef’s servers. As Byrne explains it, “All of the private keys, which are the things that actually get you into sites, are on users’ phones. So if an attacker got access to our database and read every line of information that we store, they wouldn’t be any closer to hacking an identity.”
If Clef is as secure and easy-to-use as its founders make it out to be, it has a chance. Its two most obvious competitors are OneID and LaunchKey. The founders claim Clef to be more secure due to its distributed architecture, which, according to Jesse Pollak, Clef’s chief product officer, means that it has “no central point of failure.” In other words, your identity is much safer.
Still, it’s too early to tell whether this is a stand alone business or simply the kind of service that a Facebook or Twitter would get into, which would mean it’s a risky proposition for the company. That said, it’s true that two-step authentication is a pain, and I do always have my smartphone on me. Clef is banking on people using its technology, liking it, and expecting it on every site they access. On one hand, this could be a new product bringing authentication to a new paradigm. On the other, Clef’s feature could easily be co-opted by a larger company and offered as part of a suite of security features. Either way, the technology is new and definitely better than standalone passwords.
If Clef were to become commonplace, does that mean we’ll stop hearing of massive breaches? Maybe, maybe not; hackers always find new vulnerabilities to highlight. But Clef’s founders would like us to think that at least our current logins woes would be over.