While this may be better for some people, I find it hardly convenient that I have to have my phone with me everywhere I go in order to use this system (rather than having my password in memory). On top of that, for people who are like my wife who have a knack for letting their phone die, this isn't an answer either. Then you get people like me, who have a Windows 8 phone and there doesn't seem to be any support for this coming soon. I checked one of the sites and it looks like you sign up with Clef which means there may not be any option to set passwords.<p>If you want a separate device for passwords, then I recommend using a Yubikey (<a href="https://www.yubico.com/products/yubikey-hardware/yubikey/" rel="nofollow">https://www.yubico.com/products/yubikey-hardware/yubikey/</a>). You can set a long string in the memory of the yubikey as the base password and then add the site name afterwards. If you make your base password "2435ulkahsgfoiasjeoi25095iuasdfaq3uinwetpq3gtlknfoi465098aydsfaoidsaf" then for logging into facebook you can use "2435ulkahsgfoiasjeoi25095iuasdfaq3uinwetpq3gtlknfoi465098aydsfaoidsaffacebook" and gmail could be "2435ulkahsgfoiasjeoi25095iuasdfaq3uinwetpq3gtlknfoi465098aydsfaoidsafgmail" etc. That way you have a password that is strong and easy to remember. The caveat to this, of course, is that it wouldn't work on mobile and if you lose your yubikey you would have to reset all of your passwords.
Clef preaches two-factor authentication... but I'm pretty sure that's not what it is, unless they skipped showing something in the video.<p>The video only shows one factor of authentication. There's no password involved (which is normally the first factor).
This feels somewhat MitM-able. Say I want to get access to your account on site Foo. I create a web site and entice you to log in on it using Clef. However when you initiate the flow I don't create a Clef code normally, but I replace it with a code for site Foo. Voila, my authentication to site Foo completes, and then given this I can pretend that you successfully authenticated to my site too (or error out and ask you to try again).
The biggest threat to this is that it's a 4 digit code to unlocked on the phone. A stolen phone would allow access to everything. Figuring out that 4 digit code is super easy from fingerprints.<p>To make it more secure it should be two factor. Users enters code, scan and then the phone gives him a unique to enter.
Nope it is not solving that old password problem. It has created a freshly minted chicken and egg problem. <a href="http://www.joelonsoftware.com/articles/fog0000000037.html" rel="nofollow">http://www.joelonsoftware.com/articles/fog0000000037.html</a><p>If you want to solve the password problem just invent a simple mixed mnemonic/hashing solution that will allow people to derive passwords for different sites with ease but are hard to reverse.<p>Also how can I log into any site when my iPhone battery is dead?
This application needs to be something that runs on an open source ti-86 equivalent piece of hardware with no network connections and a battery life of forever instead of an iphone application, and then it will actually be successful. Until then, anyone smart enough to actually give a shit isn't going to be particularly interested.<p>People would certainly be more inclined to trust Microsoft, Apple, or Google with this sort of task than Joe Startup, and they haven't yet. Therefore, while this is a valid need, and really a very big market opportunity, I don't buy that anyone will succeed commercially with it unless they just set themselves up as the distributors of commodity open source hardware that does the job.<p>People do make shitloads of money selling commodities.
I'm not using this, for the same reason I'm not using FB to log in everwhere - I don't want anyone knowing every site I log into.<p>This is one of the big advantages of BrowserID/Persona, no individual site controls anything.
Just the other day a friend came up with seemingly the same idea. Since he was there he explained to me his design and I tore a huge hole in it. Then I explained to him that it was pure luck I could see the problem, a far more likely outcome is that the problem would be there but I won't see it.<p>Bottom line, I wouldn't touch it with a 10-foot pole until tptacek stakes his name on it.
So, we're degrading QR codes to make them friendlier now?<p>I feel like a service like this would have been better served if they had released with a major site as a partner. I get that there is a cart/horse aspect to new authentication methods, but a big cart would have helped this horse.
I feel like there are holes in this but I am definitely delighted to see people experimenting in this space; I've been feeling like passwords need to die for a while now.<p>Q: How do you log onto a Clef-enabled site from your phone?
Unless I'm massively mistaken, this is basically just using Clef as a delegated authentication provider, except your phone performs automatic login to Clef a key that is not visible to you.<p>The big problems here are:<p>1) If Clef ever goes away, your entire userbase is locked out from their accounts.<p>2) If Clef is ever down, your entire userbase is locked out from their accounts.<p>3) The phone becomes a single point of security failure.<p>Passwords can obviously get better, and I think that using something like personal mobile devices to help fix the issue is a step in the right direction, but I'm not sure that this is the right solution.
I think there's a big chicken-and-egg problem here since why would websites use it before there are users?<p>But it also seems like it would be too much of a hassle for users. If they let their browser or Lastpass save the passwords, they can log in automatically without multiple steps involving a phone. I mind having to take out my phone for regular 2-factor authentication but I normally only need to do that once for each device. I also find that I would rather type in a couple digits than wait for a camera and QR code recognition.
I seem to remember Google offering something very similar to this that relied on scanning a QR-code on a known device? (I could be mixing stories though)
OneID is a similar service. Unlike OneID, this service actually presents itself in an attractive way with a straightforward website which doesn't suck.