@chelsea_otakan Thanks Chelsea! We're around to help when you're ready to try it out :)
Report
I use Clef for logging into our backend admin system simply because I didn't want anyone/thing pummeling a login form. Works like a charm and API Documentation is great, I'm sure this is no different.
@gerbz Aw, thanks for this note — it made my day! We love Clef and are excited to bring the same simplicity we've brought to the end-user experience to the developer experience with Instant 2FA.
Report
Great stuff! Does the threat model differ in any way from normally integrating 2FA (including Clef acting in bad faith)? @landakram
@zrathustra Hey Andrew, thanks for the question :)
If a company implements 2FA on their own, then they're responsible for following best practices like encrypting OTP seeds at rest. In the event of a breach, an attacker has access to both passwords (hashes, hopefully) and OTP seeds (encrypted, hopefully).
With Instant2FA, an attacker must breach both the company and Instant2FA to impersonate users who have 2FA enabled (since we store the seeds, but don't know anything about usernames and passwords). FWIW, we follow best practices, encrypting seeds at rest and hashing backup codes. If someone within the company acted in bad faith, the threat model stays the same -- since we don't have access to a company's database, a bad actor wouldn't have the knowledge factor needed to maliciously access someone's account. Of course, we also limit access to our database and infrastructure within the company on a need-to-know basis.
Report
@landakram Awesome, this is a cool product. Are there plans for integrating Clef (or another generic asymmetric auth protocol) as a second factor?
Also a quick nit - will my homebrewed U2F token work (currently only branded as Yubikey in the UX right now)? ;)
@zrathustra@landakram Definitely plans for integrating Clef & other asymmetric auth protocols. And, yes! We'll support generic U2F at the same time we support Yubikey :)
I've been following the Clef team for a while and have been quite impressed. This is critical security need for all sites/apps, and with the simplicity of Instant2FA, it's a no brainer!
I love Clef but hate that very few sites support it. This looks awesome but I'm wondering.... Since Clef isn't supported at start and it's your own 2FA solution plus PH taglines saying that the company is now Instant2FA instead of Clef, are you putting Clef on the backburner?
Clef hasn't taken off as much as it could have so I'm just curious about what you see for the future of Clef alongside this @brennenbyrne@jessepollak@landakram@aayush@gwongz@darrelljonesiii
Hey Brandon, that's a really good question. We still think that crypto-2FA on our phones, like Clef, is the future of logging in, but there's a lot of work to be done before it's easy for websites to support it. In the short term, Clef is going on our back burner while we build out the tools that developers need (Instant 2FA), but in the longer term we still believe in that technology and that user experience.
Instant 2FA
Instant 2FA
Instant 2FA
Instant 2FA
Instant 2FA
Bolt
Instant 2FA
Instant 2FA