Clef, an authentication client that combines several solutions for problems posed by centralized systems, continues gaining ground. Initially launched in early 2013, its appeal has recently inspired a partnership with AlphaPoint, a lead provider of cryptocurrency exchange software. Derek Minter, Clef’s founder, claims that Bitcoin inspired the project. What similarities do these systems really bare, though?
Like Bitcoin, Clef employs RSA cryptography – the use of private/public key pairs for signing and validating messages – in order to surmount the vulnerabilities posed by storing passwords on a database. This not only negates the risk of a hacker stealing passwords from the server, but also avoids any need for transmitting the private key (analogous to a password) during authentication, thus further protecting users from hackers that might try to intercept their communication.
Unlike passwords, which users must communicate in order to authenticate themselves, private keys require neither transmission from the user’s device (thus negating the threat of interception), nor storage on the system requesting authentication (thus avoiding the risk of a database security breach). Instead, RSA cryptography uses a hash function to incorporate verifiable information about the private key into a message – called the signature – which the user then sends as proof of its identity.
Unlike databases that use passwords, the source requesting authentication does not rely on an identical copy of the private key for verifying this signature. Instead, the source uses a public key – hashed from the private key – to provide a means of verifying the signature without the key needed to generate it. Also unlike passwords, the size of private keys renders RSA cryptographic algorithms practically immune to brute-force attacks, thus protecting users from every threat that doesn’t manage to copy their public key directly from their device’s hard drive (e.g. physical theft, a trojan horse, etc).
Unlike Bitcoin, however, which relies on 256-bit private keys, Clef uses 2048-bit private keys, permanently associated with the user’s mobile device, and streamlines the signature process by using the device’s video camera. To protect users from identity theft if their device gets stolen, Clef implements a second authentication factor: it uses fingerprint recognition by default, and falls back on a PIN number in cases of devices that lack biometric identification. Clef also generates a unique signature with each login, which expires within seconds; this rapid invalidation of the signature deprives attackers from potentially useful information.
Clef also subtly implements a further factor regarding location, in an attempt to combat phishing. When users log in from a new computer for the first time, a feature called “True Logins” prompts them to check their URL, and redirects them to getclef.com for further instructions in the event that anything seems fishy. After this brief initial confirmation, logging in proceeds as normal without the extra step.
Perhaps most importantly, though, Clef offers all these aforementioned features free of charge, helping assure its popularity and a large user base. Premium features include fraud usage metrics, priority technical support, and guaranteed 99.99% uptime, at prices ranging from $299 per month to over $10,000 per month, depending on the monthly number of logins.
In short, Clef not only takes Bitcoin’s most appealing feature, RSA cryptography, and offers extension of its protection to potentially all websites’ login information, but also builds on it with several improvements: a 2048-bit private key, video streamlining of the login/signature process, as well as a second (and arguably third) authentication factor, all free of charge. These feats offer a revolution in authentication security, much like Bitcoin did for economics, and might soon render the use of cryptocurrency convenient enough to go mainstream on a global scale.