By now you’ve no doubt heard about the Heartbleed security situation. If you haven’t quite grasped how this might be used to compromise your passwords, xkcd had a great cartoon that helps explain it. Regardless of your exposure, it’s a big deal.
Heartbleed has shown once again that passwords can often be inconvenient, insecure, and abused (and now they all need to be changed) but there just haven’t been a lot of good options to do things differently.
Until now.
Clef is a new service that does two-factor authentication a bit differently. Two-factor authentication refers to the process of having two factors in place before you gain access to accounts or websites, usually 1) something you know and 2) something you have. Many times, the something you know is your email, account number, or username. The something you have is usually a device, often a phone. Many two-factor authentication services offer a passcode sent to your phone for the second factor. Clef, however, uses a “wave” that provides a unique pattern that must match between your phone and your login screen. It’s a wave, and just not a bar code, as it’s in motion as you use it.
Clef works with WordPress sites to allow authentication without a password. Install the Clef plugin on your site and set up your Clef account. Clef sets up a profile on your phone and uses a private key to access that information. No details are stored in the Clef database, so there’s nothing to compromise there. Each time you want to log in to your site, Clef creates a new digital signature. Then using a unique wave pattern that is synced between your phone and your website, a digital signature is sent off to the Clef servers, who verify your identify, and then communicate with your site’s servers using OAuth to grant access. Your digital signature is the only thing sent across the network and since it’s a one-time-use private key, it has no value even if someone were to pick it off the transmission.