Launch HN: Keyri (YC S21) – Secure smartphone-based passwordless authentication
Passwords suck - they're terrible for security and terrible for ease of use. 2FA solutions are clunky and still insecure - for example, SMS-based 2FA doesn't work when you travel abroad, and it can be defeated with phishing and SIM swapping. They also allow users to share their subscription accounts with others, robbing companies of revenue. Password-based auth also enables the sort of bot activity that renders sites like Ticketmaster and StockX unusable for real customers.
2FA methods currently in the market represent a tradeoff between security and ease of use. Secure 2FA methods like USB keys are a pain to use, while easy 2FA methods like SMS passcodes are unsecure. Keyri essentially takes the USB key concept and puts it in users' phones. This is hard to do in a secure way while maintaining a seamless UX due to the need for two-way communication to prevent phishing. Some enterprise-focused smartphone-based passwordless solutions require a Bluetooth or WiFi connection between users’ phones and their other devices to ensure security, which is obviously untenable for rollout to mass audiences. Our system works securely 100% over HTTPS and computer vision (beyond just reading QR codes). An additional difficulty is that companies don't want to force their users to download a third-party app. We solve this with our SDK that allows companies to bake our passwordless auth capability into their apps.
Keyri replaces passwords with public key cryptography plus biometrics. Instead of remembering and typing in your credentials, authentication happens by just scanning a QR code (on desktop web) or tapping a button (on mobile web and mobile native apps). Thanks to biometrics and cryptographic functions happening in the background, multi-factor authentication happens in one step that takes less than a second.
At registration, the Keyri SDK generates a key pair, stores the private key in the phone's secure enclave, and sends the public key to the relying party's (our customer’s) credential server. At login, the SDK first verifies the user's identity via biometrics (Face ID etc.), then generates a signed authentication request using the stored private key, then sends that request to the relying party's auth server, which authenticates the user by verifying the signature using the public key it received during registration. The user's private keys never leave their phone. There's a lot more cryptography, handshakes, secret sauce, etc. that happen during the auth flow, but those are incidental to the core concept outlined above.
What's different about us? 1. Keyri is available as a mobile SDK, allowing any company to offer passwordless onboarding and WhatsApp-like QR code login entirely within their own app without a long and tricky dev cycle. 2. Keyri doesn't require any typing or setup / opt in. Other passwordless solutions require typing out a username/email address and/or connecting by bluetooth, specialized onboarding, etc. 3. Key backup and recovery is handled automatically via the cloud (iCloud / Google Drive). Additional backup/restore options are available in our SDK. 4. Privacy: unlike OpenID and some other passwordless solutions, Keyri’s server does not store or see any private keys or any personal information. Our API simply facilitates the transmission of public keys and encrypted signed authentication requests.
We charge companies based on how many unique users use Keyri to log in to their web services in a given month. We can provide our API in a ...
97 comments
[ 5.9 ms ] story [ 154 ms ] threadEdit: having the standalone Keyri app work for apps that don't have a dedicated mobile app of their own feels like it would drastically increase the market size here. Auth0 / Cognito are woefully unequipped for most web app's authentication needs, so there's still a huge opportunity there.
Agreed that the standalone Keyri app has its place in our longer term strategy, especially when it comes to workforce SSO applications. We're currently targeting the consumer-facing web, and the roadblock we've heard from companies we've spoken to there is that it's easier for them to ask their users to "download the Google Authenticator app" or "download the Duo app" than it is to "download the Keyri app". It's a matter of our fledgling legitimacy at this point, though we hope to get to a point where users can accept and prefer the Keyri app (because the UX and security really are better than Google Authenticator / TOTP apps)
In the West, WhatsApp and Discord have massively different schemes for QR login.
Giving all my login information to a third party seems like an awful idea. How are the keys secured from Google and Apple?
What is the contingency plan for logging in if your biometrics change? People lose fingers sometimes.
On the device, private keys live in the phone's secure enclave, usually backed by a hardware security module. When you get a new phone, these keys can only be restored when you set up the new phone from a backup of your old phone - thus, the security of the private keys in the Keyri system is on par with the security of Apple / Google password managers as well as smartphone cloud backups in general, which is pretty good.
Other authenticator apps, like Google Authenticator, Duo, etc. use these same backup methods. Others, like Authy, maintain their own cloud backup systems.
That said, I agree cloud backups are not ideal, but I think they're necessary to maintain a smooth UX for most users. Our SDK provides developers the option to disable cloud backups and instead enable QR code backups, which allow users to export their private keys onto a QR code that they can print out and keep somewhere safe, like where they keep their passport.
In case biometrics fail, (1) we give developers an option to enable a PIN fallback. Some apps like Credit Karma do this today. (2) Companies can have their own "I lost my finger" customer support process and allow users to reset their credentials upon approval. I suspect that process will see less traffic than "I forgot my password", so it should (a) cut down on CS costs and (b) make it easier to detect social engineering attempts.
I've come across a decent share of passwordless solutions in recent times (like gazepass.com and sawolabs.com to name two of the recent upstarts in the space), while GRC's SQRL has been around a lot longer.
The bane of passwordless auth systems is the whole ceremony around forgot-password / change-password flows (in this case, re-associating a new public/private keypair, on device loss, or on device change). Keybase solved the latter scenario by storing the TripleSec-wrapped keypair with a user-supplied password [0]; though, in a system we designed for our use, we use OPAQUE (password-based) to keywrap the material [1], while Signal recently demonstrated a rather elaborate scheme (passphrase-based) for tucking away user secrets [2]. SQRL solved the former in a rather unconventional way by treating DHKE as a two-way hash function [3], while Keybase has (IIRC) various recovery scenarios due to the nature of their service.
How does keyri.co handle these two scenarios? Backups don't help in cases where private-keys are compromised. Besides, some might even question the security behind backing-up private-keys to Google/Apple in the first place. I, personally, consider it an unacceptable compromise: Using an intermediary like evervault.com / scrt.network may be slightly better (or even MPC [4])?
If I may, I'm kind of curious about the cryptography involved when the authentication is delegated via the QR code. We designed ours based on the Keybase KEX [5] secured over a CPACE session [6].
Thanks.
[0] https://archive.is/XosXO
[1] https://archive.is/zmpxv
[2] https://archive.is/3sTZR
[3] https://archive.is/H72o2
[4] https://archive.is/Ojz9U
[5] https://archive.is/46VzS
[6] https://archive.is/4F1lp
Agreed, device continuity is the #1 challenge for truly passwordless systems. The Google/Apple cloud backup system we're currently on is a compromise to deliver a seamless UX for mass audiences in the majority of device transition cases. As soon as a user sets up their new phone using an iCloud / Google backup of their old phone, they will have Keyri private keys already embedded in their restored apps. Developers, optionally, can require users to input a PIN/passcode in order to restore the keys following a backup restoration.
For the minority of cases in which this cloud-backup-based device transition does not work smoothly, companies can offer customer support lines, which, as mentioned in another reply, will be far less busy than "forgot my password" CS lines, thereby making social engineering easier to detect.
Again, while not ideal, as mentioned in another reply, the current solution is based on Keychain (iOS) / KeyStore (Android), which are rather secure and private, and compromise of those systems entails... a really bad day for the victim given they're associated with saved passwords, emails, text messages, photos, etc.
And yes, we definitely plan to maintain our own cloud backup service. That is really hard to architect in a way that's both secure and frictionless, so we'll be designing that for some time. Evervault and scrt.network are great references - thank you.
All the best.
WiFi calling usually also supports texts over wifi.
> then generates a signed authentication request using the stored private key, then sends that request to the relying party's auth server, which authenticates the user by verifying the signature using the public key it received during registration
so as a customer, I need to keep track of all public keys of my customers?
> Key backup and recovery is handled automatically via the cloud (iCloud / Google Drive)
So in case I get access to a Gmail account, I can get full access to the customers account. Is the key protected by passphrases?
True, but WiFi calling remains opt-in for most carriers (and I suspect it'll remain so given the incentives in play). I don't have stats on WiFi calling adoption, but anecdotally, most people I've asked (including my cofounder), have been SOL when traveling abroad and relying on SMS OTP
> so as a customer, I need to keep track of all public keys of my customers?
You only need to keep track of the one public key that your user generated for your service, no different than keeping track of their password. It's arguably easier to keep track of a public key than a password given you don't absolutely have to hash+salt a public key.
> So in case I get access to a Gmail account, I can get full access to the customers account.
Yes, if you manage to break in to a Google or Apple account (which is a lot harder than breaking into an account at just about any other company), you would get access to an individual's private keys, same as you would get access to all of their stored passwords, email OTP, email password recovery, text messages, photos, OIDC-connected accounts, etc.
> Is the key protected by passphrases?
Yes, developers can enable securing the keys with a user-set 4-digit PIN that the user must input upon key recovery. This is optional for developers.
> Yes, developers can enable securing the keys with a user-set 4-digit PIN that the user must input upon key recovery. This is optional for developers
Is this rate limited by the phone for access to the secret key?
Yes. You probably want a reasonable limit. A customer might have ten phones, but if they have a hundred phones they already know they're a weirdo and you won't be the first one to tell them that. You will probably also want to have a way for customers to distinguish one from another, so that they can say "Oh I gave my old iPhone to my brother" and delete the unneeded credentials.
The good news is that as their name might suggest, they're not secrets, so now you don't need to worry about anybody stealing them. If Keyri did even a halfway competent job of this they're useless to anybody except you.
https://developers.google.com/identity/fido/android/native-a...
Deploying WebAuthn / FIDO2 on desktop web/native apps is far more challenging given the standard's need for communication between the authenticator device and client device to happen via USB, Bluetooth, or NFC. USB is obviously out of the question for consumer-facing apps, and companies simply can't ask typical users to connect their devices via Bluetooth - setup and reliability are the UX issues with BT.
Specifically, how does the phone know which web page its owner is looking at on their laptop when they scanned the QR code ? You need to arrange that it's not possible to take the QR code generated for you and present it to a sucker for them to scan instead so that you're signed in as them and like I said, if Keyri does that then I don't see how.
Isn't this a problem then with WhatsApp Web login too which shows a QR code (presumably not tied to any one account as the web-client seemingly generates it without any user-input) that the app then scans to initiate auth?
I was also wondering if its a severe vulnerability, given that the phone (roaming authenticator) continues to be in the possession of the victim, and they retain the ability to revoke other keys / tokens (which could additionally be authz restricted) shared with untrusted devices (client/platform), much like how one would revoke leaked API keys?
Btw, am I correct in guessing that FIDO2 solves this "trust gap" problem with CTAP2 relying on BLE, USB, NFC to prove user-presence? Thx.
Yes, it's an issue with WhatsApp QR login and every other QR login implementation.
> I was also wondering if its a severe vulnerability
It can be severe if the attacker only needs to be authenticated in the victim's account for a short while to do damage. For example, to withdraw cryptocurrency from an exchange account. Or, in the case of WhatsApp, to extract damaging personal info. Persistent access is not a prerequisite for the ability to do harm.
> Am I correct in guessing that FIDO2 solves this "trust gap" problem with CTAP2 by relying on BLE, USB, NFC to prove user-presence
Partially correct - there's two-way communication in FIDO2/CTAP2 in which the roaming authenticator confirms the "identity" of the web session before sending an auth request. The user-presence aspect is incidental to these three protocols. We do the same thing, just with CV
FIDO2 isn't interested in this problem at all. From the point of view of FIDO2 the rpId ("Relying Party ID" the thing that distinguishes Apple from Facebook) is just arbitrary data selected by the application.
WebAuthn solves the problem by trusting the web browser to know which web site you're visiting. Specifically, the relying party (a web site you're trying to sign into) gets to pick a DNS name you'll authenticate against but the browser matches this DNS name against the HTTPS URL you're looking at, and rejects requests that don't match. The rpId is based on this DNS name, so a phishing site can't work.
e.g. You may think this page is from your bank, but your browser knows it's https://fake-bank.example/ and won't give it WebAuthn credentials for real-bank.example even though you firmly believe that's where you are.
https://github.com/fiatjaf/awesome-lnurl#lnurl-auth
> They also allow users to share their subscription accounts with others, robbing companies of revenue.
This made me question your motives: "robbing" is a very strong statement for something like sharing accounts — even if you are in that extortionist camp that likes to get every last cent out of the customer, I wouldn't advertise it as widely.
Why do you feel that companies should be worried about people sharing accounts with people they have enough trust in to share accounts (and devices like your phone) with?
It's also the first time I read that OpenID requires somebody else to see your private keys, or to share any private data that you do not wish to share: can you elaborate on that?
Regarding account sharing: agreed that the "robbing" language is harsh and should be toned down. That said, it is a problem that deserves a solution. For example, there are companies like data providers that charge businesses hundreds or thousands per month for access to their platforms, and they face massive account sharing issues from these businesses that can totally afford to pay for all of the seats they need but are not willing to pay because they don't need to - they can just share accounts among their employees. At the same time, I'd argue that any account sharing, even if it's for a $5/month streaming platform account, is unethical and a violation of TOS - companies should have access to tools that definitively prevent these violations. They currently already try to stop account sharing through IP logging, cookie tracking, etc., but those methods are not as reliable as changing the auth mechanism altogether to something like Keyri, in which credentials are not free-floating strings that can be passed from one person to another.
Regarding OpenID: OpenID providers (Google, FB, etc.) don't see your private keys, but by registering and logging in on various services through them, you are giving those platforms yet more data about yourself. That is why these platforms provide OpenID auth services for free. This privacy threat is nebulous, but privacy-conscious people like myself don't use OpenID for this reason.
Edit: an article on OpenID privacy issues from people who know more than me: https://people.inf.ethz.ch/basin/pubs/asiaccs20.pdf. Excerpt: "s. Unfortunately OpenID Connect is not privacy-friendly: the identity provider learns with each use which relying party the user logs in to. This necessitates a high degree of trust in the identity provider, and is especially problematic when the relying parties’ identity reveals sensitive information"
Hey, you are selling on the internet, do not make up "costs" just to increase your revenue. I am fine with restricting simultaneous usage where there is an actual cost to it (eg. streaming) as long as that's clearly indicated (and as people have multiple devices these days, it should never be limited to one-at-a-time).
As I said in a comment below, the fact that companies "can afford" is not the same as "it's worth it" to them, and per-seat pricing is "robbing" those customers when there is no increased value for the customer or increased cost to the provider: make a product that's valuable to be per-seat, and customers will pay for it (sure, some who can't afford it won't, but that's not lost revenue anyway)!
Finally, with OpenID, I can set up my own identity provider, or use a privacy conscious one. Unfortunately, almost no web sites accept pure OpenID (they did for a while ~10 years ago), but instead only a limited set of "large" providers. However, a company can easily decide to support arbitrary OpenID providers instead of just Google SSO or Keyri, and then users can choose how much they care about their privacy and use an appropriate provider.
In short, web sites are not implementing OpenID authentication, but instead somewhat-custom SSO through Google/Facebook that mostly uses OpenID Connect (Oauth) protocol for authorization (in a way, it could be any other protocol that preserves the security properties of OpenID Connect).
A good example of a company doing that is Zendesk: as an engineer, I want to make a comment on a support ticket once every 3-6 months, but Zendesk would require my company to pay for another user license to do that. That's not value provided nor is there a cost for them in having another non-read-only account. They are attempting to rob their customers instead.
Either way, it's in Zendesk's and Netflix's best interest to make sure that a given account is used only by the person they were told would use it when the account was purchased, both from a business perspective and a security perspective. How they can address the needs of their customers while enforcing their stated TOS with a mechanism like Keyri is up to them.
I don't see how that is possible.
(1) Keyri private keys cannot be stolen other than through smartphone malware, which is exceedingly rare, while password managers and older USB keys are vulnerable to desktop malware, which is much more common - both credential stealers and, in the case of older generations of Yubikeys, keyloggers. Hardware OTP devices are additionally vulnerable man-in-the-middle phishing attacks (though the HN audience is generally savvy enough to not fall for phishing) - https://github.com/kgretzky/evilginx2.
(2) As long as you rely on passwords and TOTP, you're relying on the shared secret paradigm and trusting the relying party to handle your credentials properly. If the relying party's credential store is breached and the credentials were improperly stored (common even today), your credentials (both your password and OTP secrets) can be used by a bad actor to access your account. Public key systems like Keyri and FIDO2 substantially reduce this risk.
> As I said in a comment below, the fact that companies "can afford" is not the same as "it's worth it" to them
Please see my response below regarding account sharing. In short, eliminating account sharing in order to enforce TOS is an opportunity to (a) improve security (b) improve UX in cases where provisioning multiple users access to one account is warranted.
> Finally, with OpenID, I can set up my own identity provider, or use a privacy conscious one.
As you note, the vast majority of web services don't support arbitrary identity providers or use privacy conscious ones. History has proven that people don't set up their own identity provider. Additionally, the universe of "privacy conscious" OIDC providers is limited (non-existent?).
I realize this is not exactly widespread (neither on the user nor the provider site), but as we are on HN: Luckily security keys exist and are cheap enough to have backups. I hate having to use my phone for 2FA (but also realize that I’m in a tiny minority there)
While you should certainly hope that this is just a "transition step", I am sure you are treating it as a business risk as well: companies will frequently have people who are downgrading their security and convenience by moving to Keyri (eg. people like me :), and they will always push back. After a while, those companies might decide that it's not worth it to keep both options available, Keyri will be the one to go (some will, of course, decide otherwise). I am sure you will be tracking this, but it's worth pointing out that this risk is there and not insignificant :)
(1) When a user sets up their new phone using an iCloud / Google Drive backup of their old phone, the private keys will be already embedded in the relevant apps when they first open the app on the new phone. The developer can ask the user to decrypt the private key for the first session with a user-defined passcode
(2) The SDK provides a QR backup system - users can export their private key in a QR code, print it out or save it on a USB drive, and then scan that code using their new phone. Alternatively, they can just open that QR backup screen on their old phone and scan that with the same app on their new phone. Google Authenticator recently released a key export feature like this (we had it before Google, but it's inspired by blockchain.com's wallet backup system from 2012).
I think such transitions between smartphone OSs already entail significant credential transfer issues, since saved passwords also do not automatically move between OSs.
You'd have similar problems if you used "Sign in with Apple" for an app on an iOS device and then switched to Android.
working POC
http://www.multipasskey.com/susdemo/
I'm having trouble understanding what more this offers over a model more like TOTP/HOTP, where I can scan a QR code once from a site, then log in with it even if my phone doesn't have connectivity (which is a more common use case than you might think).
If I do have connectivity, why not just throw a prompt up on my phone asking "Hey can you verify that's you logging into our website?"
TOTP is an objectively worse UX - first you type in your username, then password, then open your phone, open the relevant app, read the code, and type in the code before it expires. With Keyri, you open the relevant app, tap a "scan" UI element, and point it at your screen. No typing, memorization, or race against the clock. Also, with TOTP, you're pulling out your phone and navigating to a specific app anyway, so I don't understand your UX objection. I'm also struggling to picture a situation in which a laptop or other device has connectivity but a phone does not. Presumably the laptop is on a WiFi network that the phone can also connect to. If the laptop is using some sort of satellite connection module, that module and/or laptop can fire up a hotspot. This connectivity problem would also arise in the push notification solution you propose in the next sentence.
Push notification solutions ("prompts") are defeatable using trivial man-in-the-middle phishing techniques. For example: https://github.com/kgretzky/evilginx2. Authenticator-initiated authentication solutions with two-way authentication like Keyri eliminate phishing.
https://www.hyperledger.org/use/aries
Then there are other passwordless auth solutions employing "private blockchains". That term basically means "database" in my mind and is obviously not ideal from a privacy perspective.
Aries leverages, Decentralized Identifiers[1] with Verifiable Credentials [2]
the "ledger" is where the public keys are stored. eg it could be a permission-ed ledger, similar to SSL certs only known/<want to be known> parties would publish their keys to the chain.
Example: Sovrin network [3]
Or could be permission-less, maybe focused more towards IoT/whatever
Example: ION Network [4] coming out of Microsoft.
The ledger is not a requirement to establish an identity as shown with the did:peer [5] method
Frankly I think the usage of blockchain was more to get on the marketing bandwagon at the time. Messaging is now moving from "blockchain" to "distributed ledger"
1 - https://www.w3.org/TR/did-core/
2 - https://www.w3.org/TR/vc-data-model/
3 - https://sovrin.org/
4 - https://identity.foundation/ion/
5 - https://identity.foundation/peer-did-method-spec/index.html
Another example of over reach: Trust over IP [1]
Again congratulations of the launch, I am not advocating Aries but I am very interested. Especially the intersection of actual users (what you are doing) / pie-in-the-sky ideals
I wish you both the best :)
1 - https://trustoverip.org/
Can't speak for how it works on the back end (though it clearly works differently from Keyri given VPA's QR code contains much more data and is therefore slower / more unreliable to scan). In terms of security on the front end, VPA is phishable as explained in earlier comment threads.
I run a problem validation platform and the need-gap in 'Password less authentication' is being tracked here[1].
You're welcomed to explain how Keyri addresses that need-gap so those who need it can find it easily.
[1] https://needgap.com/problems/49-password-less-authentication...