undefined | Better HN

0 pointsMithaldu12y ago0 comments

One question: What's keeping you from developing a desktop client, so i can login without needing my phone around? From what i can see on your website, Clef simply uses a key stored on the phone to generate a password† that is then sent to the website to be logged in behind the scene. There shouldn't be anything stopping a user from using a program for this on any os, as long as it has the ability to obtain the nonce‡ from the website and the user-unique key.

† password used here in the loose sense of being a user identificator including both the identity of the user and a secret unique to the user

‡ which is even more simple than a QR, as it's simply a barcode, albeit an animated one (the animation doesn't factor into the value at all, right?)

0 comments

3 comments · 1 top-level

jessepollak12y ago· 2 in thread

Nothing is stopping us from a technical standpoint. Multiple devices is something we plan on adding, but we're being really careful about it because it increases complexity and introduces more vectors of attack. We also think that a phone is tied to a user's identity more than a computer or a tablet, so that's what we're really focusing on. Give the flow a shot and let me know what you think.

MithalduOP12y ago

As a counterpoint: It's far more likely i might be mugged for the easy cash scored by a phone that has a 500€ market price, than to have my desktop stolen. ;)

One more question:

How about sites which don't have clef implemented? Can i enter a URL into the clef app (or use some kind of JS scriptlet to generate a QR code on the fly) and have it generate me the password for that, so i can type it in manually? Maybe even store usernames for such sites?

Right now Clef has zero use for me, as i've never even seen a website that implemented it. But something like that would at least add some use.

(Also i'm sad that you didn't confirm or deny the footnotes.)

jessepollak12y ago

Right now, sites need to explicitly integrate with us. We've thought a lot about creating something that manages passwords to bridge the gap. We've actually been working on this with some community members (Joe is here somewhere) and are hoping to roll something out in the next few weeks. Sorry for not addressing the footnotes!

1. exactly, we generate a digital signature similar to SQRL

2. right. from a technical perspective, the barcode is simpler than a QR code; however, it's actually proven really important from a usability standpoint. by animating the interaction, we have more control of the user's mental model of what's going on and can provide a much more intuitive user experience.

1 more reply

j / k navigate · click thread line to collapse