Clef Offers Two-Factor Authentication Without All the Codes

I used Clef to secure a personal blog that I run. Really nice, slick UI, and fun to show to people because it&#x27;s so different. I had to uninstall it, though, when I had broken my iPhone and switched temporarily to an old Windows Phone I had laying around. I never reinstalled it, because an authentication method that relies on having a specific piece of expensive technology isn&#x27;t all that attractive to me. Maybe it&#x27;s great for someone who will always have an iPhone or Android phone, but in the last two years I&#x27;ve had five phones, and three of them were platforms that Clef doesn&#x27;t support. This &quot;iOS or Android&quot; nonsense might work for games, but for any application I need to rely on for my workflow, it <i>has</i> to work <i>anywhere</i>. FirefoxOS might be the next hot thing, and if people switch to it, they&#x27;re going to switch away from Clef.<p>At least with Google Authenticator other people can write compatible applications for other platforms.

If you remove the password, how is that a two factor? The day you loose your phone&#x2F;get robbed could lead to your worst nightmares. Definitely would never opt-in. I loose my phone all the time (I know...), but I am pretty sure I am not the only one.

Seems like this could be simplified to simply extend standard OTP (with the caveat of requiring a camera on the laptop, probably invalidating one of the use-cases of OTP: logging in to low-security accounts on a kiosk pc):<p>1: Set up OTP as usual (pc&#x2F;web-app shows qr code, scan code with phone. Server and phone now share a private secret for generating OTP tokens)<p>2: For login: phone displays QR-code, pc&#x2F;web-app asks for image input (with 6-digit code fallback) -- user holds up phone to pc-camera.<p>I don&#x27;t really see how Clef offers any benefit, except that you can&#x27;t use standard OTP with Clef. Am I missing something?

How is this different from the phone based 2-factor that Google once had for their own products? Honest question, not being sarcastic here.<p>Google used to have an authentication system that would display a QR code on the screen which you would use your phone to navigate to. That URL would then, assuming your phone was already authenticated to Google, log you in on the computer as well. I was trying to remember the name of the system, but can&#x27;t come up with it.<p>The short version is that Google determined the system to be too insecure and vulnerable to exploit and canceled the system.

Similarly, I&#x27;ve been impressed by Duo&#x27;s mobile applications.[1]<p>They offer a push authentication capability, so you only have to click &quot;accept&quot; or &quot;deny&quot; in the app on your phone. They&#x27;ve also got code generation and a hardware token as backups. In practice, I can usually authenticate through the phone in 2ish seconds.<p>Clef does look like an awfully nice user experience, though.<p>[1] <a href="https://www.duosecurity.com/product/methods/duo-mobile" rel="nofollow">https:&#x2F;&#x2F;www.duosecurity.com&#x2F;product&#x2F;methods&#x2F;duo-mobile</a>

Previous: <a href="https://news.ycombinator.com/item?id=7224882" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=7224882</a>

Is the vertical movement actually part of the authentication, or is it just a fancy looking barcode?

Simpler: <a href="https://getprove.com" rel="nofollow">https:&#x2F;&#x2F;getprove.com</a>

I was expecting the solution to involve humming a four note tune.

I was impressed by how easy it was to integrate Clef into my existing auth system- by far the best two-factor authentication system I&#x27;ve used.

I&#x27;ve always through Clef was really neat, at the very least it is great to see a company tackling security from a UX standpoint.