Clef, a two-factor authentication platform, has recently gained traction in the Bitcoin space with companies like Koinify integrating it to secure their platform. Today, Clef announced True Logins, a new anti-phishing mechanism.
Phishing is when an attacker disguises themselves and pretend to be another website. For example, an attacker might use faceboook.com, with three “o’s” so a user thinks they are on a normal, secure website. Then, if the user types in their password for the real site, the attacker can steal the user’s account. In fact, phishing attacks have been used to steal millions of dollars from unsuspecting online bank customers, spread malware to countless address books, and in some cases obtain high-level trade and government secrets.
To combat phishing, Clef’s True Logins issues a unique URL to a user’s mobile device, like dogs.getclef.org or cats.getclef.org. Only that URL can be used to authenticate the user’s account. If someone is attempting to utilize a user’s authentication through a spoofed phishing site, for instance, a bogus URL, Clef will deny the request because it will detect the authentication URL is not valid. So, even if a user clicks on a phishing link or gets caught on a fake site, Clef still protects the user and their account.
With traditional two-factor solutions like mobile texting or Google Authenticator, once a user enters the 2FA numbers on a phishing site, an attacker can turn around and use those same credentials to immediately access that account. In phishing-based scenarios, this essentially makes two-factor useless because users are still transmitting credentials in plain text.
Clef’s signature wave authentication method also utilizes public/private key technology, the same that Bitcoiners trust to secure their coins on the Blockchain, and authentication is as simple as scanning a moving wave of bars with a mobile device. With Clef, users can also un-authenticate all their sites remotely from their phone. So, if a user happens to login, and walks away from their computer, or forgets to log-out for some reason, Clef signs them out of all their accounts in one touch. With traditional two-factor authentication, if an account is left logged-in the user would have to visit each site and log out, or wait for the session to timeout.
For Developers, Clef is as easy as integrating an OAuth request. No complex backend integration or maintenance needed. Two-factor requests are free, no matter how many you have, and you’ll have all the benefits of the anti-phishing, single sign-out and secure public/private key crypto, with only a few lines of code. For users, single sign-on means once they have authenticated their device, any Clef site can be logged into without re-entering a code. Plus, all sites can be logged out instantly.
Clef currently secures the logins for more than 40,000 websites, a figure that is fast growing as user demand for a simpler option mounts. It is also available in ten of the major world languages and will have updates for both its iOS and Android applications released soon.
Is it time for more Bitcoin companies to join the wave and start utilizing the secure, free and state of the art features of Clef? Let us know in the comments!
Images from GetClef.com