Forget Your Passwords
Article by Tammy Orr
Last night I needed to log in to a website. I clicked ‘Log In’ and some bouncing waves appeared on my laptop screen. I pointed my smartphone at them, and a split second later I was logged in.
Does this sound like the future?
There was no username involved. No password. No link for “Oops, forgot my password (again)”. No “CAPS LOCK is on” warning. I did not even touch the keyboard. All the most frustrating and infuriating elements of the login process were gone!
Also, onlookers were entertained and awed. Was I using alien technology from the future? What were these wibble-wobbling waves? How could this work? What happened to Index Card Girl?
Let’s rewind. It began when I needed to create several login accounts for a new project a few weeks ago. The first website had a perfect storm of password requirements, forcing users to create easily broken passwords like abcdef12 or footba11. I was not happy about that. The next website had the most painful and tedious requirements I’d ever seen. My first five randomly generated passwords were refused for:
- Password too long (must be eight characters or less)
- Too many capital letters, despite presence of lowercase letters (no more than 3 capitals allowed)
- Not enough symbols (must be at least two?!)
- No [square brackets] allowed (what on earth?)
- No aster*sks allowed
I wondered if I was ever going to hit anything that worked. Finally the sixth password did. I pondered all the scribbles on my index card. The day was here–conventional passwords are too easily broken by computers, and too impractical for humans.
I decided it was time to stop fantasising about hurling my password cards into the pond, and just do it (But not literally. That would be littering. And index cards have bleach in them, which is not nice for ponds!). I looked at an annoying email from my web hosting company, asking me to protect my website with two-factor authentication. They were suggesting Clef. Clef is new and I didn’t know much about it.
So I went to the internet and read about Clef, including the white papers. I liked what I saw. So I tried Clef on my personal website for a while. Pointing my smartphone at the screen when I needed to log in and do support tickets was safer than the conventional way – and fun too!
One of the important selling points for me was that Clef has a ‘kill switch’. This means if you log in to a strange computer, forget to log out, hop on a train, and then realise someone could be reading your most interesting emails – you just press a ‘log out’ button on your smartphone. Then Clef instantly logs you out of everything, everywhere. If your mobile phone gets stolen, you can disable it and activate the kill switch through the Clef website.
So I used Clef for a while, and added a Chrome plugin that allows Clef to work with websites that normally rely on passwords, such as Facebook and Reddit. This means now I point my smartphone at everything* to log in.
*Everything except the NHS blood donation website. It doesn’t like Clef. There will always be outliers…….
Using Clef feels like whizzing through the ‘already paid my toll’ lane on the superhighway, or rushing through the pilots’ queue at airport security. It also feels a bit like I time-travelled forward, forgot the scary bits, and returned with a piece of futuretech. Clef’s headline is fitting: “Two-factor authentication from the future.”
So how does it work? Clef is a two-factor authentication system (often abbreviated 2FA). 2FA is a security concept much older than computers. It just means that the system requires two separate pieces of proof that you are who you claim to be. It’s like when you are renewing a driving license or a passport–you need to present both a birth certificate and a second form of ID, such as a council tax bill or marriage certificate. That’s 2FA.
In Clef’s case, the first piece of proof is your phone itself, which you register with Clef. That makes that phone both your ID and your ‘password’. Your second piece of proof is your Clef PIN. You enter your PIN into the phone when logging in to a different computer.
When you log in with Clef, instead of a normal login screen, you have a mesmerising picture of bouncing waves. Your smartphone takes a snapshot of the waves, and sends it to a Clef server. The server decides whether your phone is really your phone (the phone sends a 300+ character key to identify itself) and whether it really saw the real waves, and then it lets the website know whether your login succeeded.
So what happens if your password-slash-phone is dropped down the loo and dies, or runs out of battery at a bad time? You can register backup devices with Clef (and you should). So, if you have a second smartphone, or a helpful housemate has one, or you can run down to the shop and cough up cash for a burner*–that’s the backup plan. (*Note: a phone needs a camera to work with Clef.)
The first question I had when I learned about Clef was: What is it doing with my passwords? And the answer is, it is replacing them. Clef knows precisely nothing about conventional passwords. Your smartphone is your password. So, instead of memorising wacky sentences (see my previous article) or writing passwords on index cards (another previous article), you just remember to bring your smartphone.
I also wondered what websites Clef works with. If you use the Chrome browser, many of the most popular websites are integrated with Waltz, a plugin that lets you log in with Clef. These include Facebook, Amazon, eBay, craigslist, Google, NetFlix, Microsoft, Reddit, Twitter and many others. Sites using WordPress, which make up just over a fifth of the internet, also work with Clef.
Clef and its plugin Waltz are the first password management products that I feel could be viable and relatively safe for regular people, while also (greatly) simplifying the login process. If you are frustrated with password management, have a smartphone with good internet coverage, and have no problem keeping it charged, then Clef might be worth a look.