Show HN: Developers, Kill Passwords today with LaunchKey. (blog.launchkey.com)

7 points by devinegan ↗ HN
The LaunchKey API has moved to Public Beta and the team formally invites Developers to begin implementing LaunchKey on your systems and projects.

LaunchKey eliminates passwords by providing physical authentication through the devices you already own.

12 comments

[ 3.3 ms ] story [ 35.6 ms ] thread
How does this work if I don't have a smartphone?
Currently we are supporting iOS and Android ecosystems. This includes Tablets and Phones. We will have apps available for a wider variety of devices (Windows Phone, PC, Mac, etc) in the near future if you device isn't currently supported.
Possession of an iPhone or other device as a system of authentication is actually less secure than even a fingerprint which at least takes some degree of skill and tools to lift off of a surface.

Sorry but the core of your idea is not a solid foundation upon which the rest of it should stand. You've obviously done a great deal of work and it "looks nice" so it hurts me to tell you this.

You've basically re-invented the Japanese INKAN...

https://en.wikipedia.org/wiki/Inkan#Japanese_usage

Passwords, as painful as they are, work because they are secrets.

Fingerprints, eye scans, vein prints, voice patterns etc... are not secrets and can be/are replicated anytime.

Possession is just another form of a non-secret and between the moment your device is stolen and the moment you report the fact there is a window for abuse.

Passwords don't permit such abuses.

I hope my feedback will be constructive for you.

I don't understand the Inkan comparison. The Inkan just looks like a unique seal so that someone knows a document is legitimate. That seems more comparable to something like signing with your private key. Care to explain?
I think he was suggesting anyone can get a hold of your inkan and use it to sign things in your name.
I suppose I can stretch a bit and see that. Of course if you lose your inkan, you'd probably notice it was missing. If someone gets hold of your password (which may not even be your fault) there's a good chance you won't realize it has been compromised until too late.
Exactly. I live in Japan and the inkan is the bane of my existence.

I can go to the bank teller, offer them my driver's license, citizenship card and can recite the PIN code to them but they won't believe I'm me and let me access my money.

Show them my plastic stamp and I'm magically me! I could give it to another individual and he could withdraw money from my account, no questions asked.

Possession is simply not security.

While LaunchKey relies of physical possession as an authentication factor at its most basic level, LaunchKey provides and encourages the use of multi-factor authentication through additional factors such as a knowledge factor (PIN or Combo Lock) and inherence factor (geographic location). Comparing a single factor of authentication, as is the case with a password (knowledge) or Inkan (possession), to that of the multi-factor authentication found in LaunchKey (possession + knowledge + inherence) is a fallacy.
Possession in the case of authentication is used for starting our cars, entering our homes and seems to be used in Japan for banking. We all have keys in our pocket that we rely on for security.
Thank you for your feedback. We certainly seem to disagree about the security of passwords in general.

With that said, our system supports far more than a possession factor. LaunchKey has a Pin and/or Digital Combo lock (your secret) on the app level for a knowledge factor and Geo-fencing available for an inherent factor. Combine these factors with possession and you have a very secure system. Reliable bio-metric factors could certainly be implemented in the future as well.

As you said Passwords are painful, especially when we don't know them any more and pass them off to a third party application. The explosion of Password Managers such as your own indicate that users are expected to carry the burden. There has to be a better experience and solution for consumers and systems alike.

Well, possession might work better if it were a chip you'd implant in your body. Then at least it wouldn't be prone to theft.

You'd just need to convince people to implant something in their bodies.

In any case, you're free to your opinions and the market is the ultimate decider of what floats and what sinks. Good luck to you and your project!

Presumably you'll know if your phone has gone missing and can then deactivate it as an authentication token long before someone could combine it with guessing your PIN. There has been a secure token business operating for years without a major problem due to token loss. Migration to using your phone instead of a separate token is a natural transition and doesn't change the fundamentals much.