Clef is a two factor authentication system that allows people to log into a website without entering any password or username, unlike Authy and similar multi factor authentication apps with Clef you don’t have to type in anything, only point your mobile phone camera towards a wave displayed on the computer screen and Clef will automatically sync it without pressing any button, granting you access to the site and saving you substantial typing time.
There main drawback I have found in Clef is that very few sites are currently using it, to be precise, not a single one of the sites I am a member of can be accessed via Clef, but then, few forums have two factor authentication to start with. Anyway, I liked Clef so much that when I found out there was a free WordPress Clef plugin, I installed it in my own blog, with the hope of protecting myself from brute force attacks and saving time.
I have now disabled all usernames and passwords in this blog, the only way to login is using Clef, if you are trying a brute force me, you are wasting your time.
The first step for using Clef in a WordPress blog is to download the app for Android or iPhone from the marketplace, the second step is to install the Clef plugin from the WordPress plugin directory, there are close to one million WordPress blogs using it according to official statistics.
You will be asked for a 4 digit PIN number to protect your Clef app, this way nobody can gain access to your sites if you lose your phone. You will also be asked for an email address to cancel your account if your phone goes missing, visiting Clef.com/lost and entering your PIN you can deactivate your account and reactivate it on a new device in less than a minute by clicking on a confirmation link received in your inbox.
After you have synced (scanned) a wave on the screen, all of the sites in your account will be accessible, there is no need to keep syncing waves and from the app you can set the session time to expire in just a few minutes or to infinite time.
Clef is perfect to access a private website from a library or Internet cafe, not only keylogers can not capture any credentials, not even the username, the session will have expired after finishing browsing, and if you forget logging out of a website in a public computer, it can be done remotely from within your Clef account, where sites you are currently logged in can be deleted from.
For exta security there is an activity stream listing your Clef activity, like who is logged in, what sites, timestamps and dates, etc, can all be checked inside the Clef account.
The WordPress Clef plugin panel is equally sophisticated, you can disable all login passwords or require the wave sync and password at the same time, it can be further adjusted by just disabling passwords for WordPress users with privileges greater or equal than an Author, Editor, Administrator, etc and hiding the password login window showing Clef wave as the only login option.
If you choose to disable passwords in your WordPress blog, you can create a hidden link where passwords can still be used, this is a good safety precaution if for whatever reason one day you don’t have the phone with you and don’t wish to completely disable Clef.
There is also a password manager for Chrome (Firefox and Safari version in the works), called Waltz, that will encrypt your username and password in your browser and store it locally using AES so that the next time you have to login into a site you can use Clef for that site even if the webmaster has not implemented it.
It took me some time to understand how Waltz worked because there is no mention of it anywhere in the official Clef website, this is not an official plugin but it is open source and the author claims to have Clef blessing for the application. It appears to work fine the few times I tested it, I am currently using Waltz for Amazon and Twitter.
Something to have into account is that Clef claims that it will always be free for users but they charge a monthly fee to businesses implementing their two factor authentication system. I suspect this is going to stop many adopters, specially non for profit websites.
However the WordPress plug in is free and WordPress webmasters do not have to pay anything for using it, but during the month I have been using Clef there has been a couple of times when the login window took a while to let me in, do not forget that Clef is hosting the authentication infrastructure, and if their servers ever go down you will not be able to login, the only work around would be reinstating passwords.
Overall, I love this app, I prefer it over any other 2FA app because of the time it saves me and time is money. I am only a little concerned about Clef servers suffering a DDoS if it becomes too popular but I am sure if that ever happens the company will know how to deal with it.
Since Clef charges businesses a monthly fee based on the number of users they have on their site, I can’t see too many webmasters adopting the technology when they can gave a mobile app authenticator for free.
Summing up, this is an exceptional 2FA app for users, that due to the monthly fees to webmasters migh find take up slow. I certainly would not pay for it since I am not running a website that can justify the expense and I could have had a less convenient 2FA for free, but I would be very happy to see this app all over the Internet instead of a Yubikey, that charges the user or a 2FA app requiring far more time to log into a site.