13 comments

[ 2.9 ms ] story [ 54.5 ms ] thread
what problem is it solving?
The idea is to let users maintain a portable database of very strong passwords. Since the credentials are transfered when the QR code is scanned the user doesn't need to remember or enter a complex password. It also eliminates worries about keyloggers since no information is typed.
It's gotten to the point that the average person needs to remember dozens of passwords for various sites. You can't use the same password for everything because one could be hacked, compromising all of them, and even if that's not an issue, every site has different password strength requirements. This approach lets you use a very complex password for each site without making you memorize it. I just wish there were an Android version.
Android is in the plans. The main reason I started with iOS was that I had access to the devices.
That's great to hear! Let me know if you need someone to test with android. My wife was excited when I told her about the app...her current solution is a big Google doc with all of her important passwords!
what bit talks to the browser? Don't websites need to be "QRAuth" enabled? Have I just asked one of those questions which is "funny you should ask that..." ?
There's a browser extension (Chrome/Safari/FF) that does the hookup. Basically it talks to our server to request a QR Code. When the code is scanned, the users credentials are encrypted on the phone, sent to our server which passes them along to the browser extension.

I do have a version that doesn't require the browser extension, but that does require the website to add some javascript and do some backend work to enable it.

How is this better than something like 1Password? The only difference seems to be that instead of entering my master password in the browser extension, it's on my phone and I have to do extra work to log into the web site... I don't see any real security advantage, and the UX is much worse. Maybe I am missing something though.
I'm trying this out because I don't want to shell out $50 for the 1Password OSX app and then $15 for their iOS app.

I also see an advantage of not needing to constantly type in a master password, which can be seen by anyone standing around me.

Cool implementation. Were you inspired by the Google 2-factor approach to log in to Goog websites that was pulled?

http://www.readwriteweb.com/archives/google_launches_qr_code...

As others said, I'd love to see an android version. However, before I use it for my important Web service accounts, I'd like the ability to encrypt my passwords both on the phone app and the browser plugin with a key known only to me so I don't have to trust your service with my cleartext passwords.

I was working on this when google tested that feature. I actually started the project as a 2 factor authentication system but scaled it back to this version of the initial release at least. There's a chicken/egg problem with getting websites to adopt without needing the browser plugin.

I like your password idea, its a nice feature. I'll add it to my idea list. Thanks for the feedback!

I just tried it out. Works quite well! I think this is pretty damn cool.

Feature requests:

- The ability to add sites to the db using the extension (unless I missed this). Typing on the iphone's a pain vs typing on my laptop.

- A way to quickly copy the credential data from the iOS app so it can be used in other iOS apps.

- A password auto-generator.

- Dropbox support. That way this could sync up and work across platforms, and wouldn't require me to trust you with my precious data. (I'm already trusting dropbox, for better or worse, but at least there I can ensure it's encrypted)

Glad you like it. All those features are planned.

There is support for iCloud which tries to sync the database between phones. I've found iCloud syncing of databases to be slow in my testing, but it does seem to do it eventually. Speed probably isn't a big issue for day to day use, but it made testing the sync feature frustrating.