Our technical colleagues at Clef got in touch with us and we finally managed to publish the interview with them. Clef is a wonderful product that enables two-factor integration with your WordPress website, and is also available for all of you hosted with our friends on a SiteGround Managed WordPress Hosting.
Tell us a bit about yourself and how did you get involved with WordPress?
Hi everyone! My name is Jesse and I’m one of the founders and the head of product at Clef. Essentially, that means that I get to talk to our users every day and lead development on all things you interact with. It’s awesome. Before Clef, I was in school at Pomona College, but I dropped out after two-years to focus full time on killing passwords.
The first time I used WordPress was in my junior year of high school. We had a newspaper, but one of my friends and I wanted something that students could actually interact with in a real-time way. We decided to create a blog, and I decided to run it on WordPress. We eventually grew to having ~7 writers and I was super impressed with how easy it was to manage everyone and everything with WordPress. Pretty great introduction. I used WordPress on-and-off after that to build websites and when we started Clef I knew it was the first platform we had to build for.
How was the Clef idea born – what were you struggling with prior to building Clef?
Clef actually came out of a bunch of work that our CEO, Brennen, did. Back in 2011, he was working at Adobe on their Strategic Alliances team right after Steve Jobs wrote the letter that killed flash on the iPhone. Since companies like Adobe used flash to identify users for partner advertising, he was part of a team that was tasked with figuring out new ways to identify users on mobile devices. Around that time, LinkedIn had, what was at the time, the largest password breach ever (an event we think of as the beginning of the “era of breaches”). Brennen saw the juxtaposition of the failure of passwords with all the work he was doing on mobile identity, and realized that our phones could do a *much* better job of identifying us (both security and usability-wise) than the username and password infrastructure. He went back to school at Pomona, started working with a professor studying security through usability, and wrote a thesis on phone-based identification. Eventually, he recruited Mark (our CTO) and I to join the project and we turned his thesis into Clef. A year later, we moved up to the Bay Area and launched the product.
If you were to explain to a blogger or a non-technical user Clef, what would be the key selling point (in a sentence or two)?
Going to break the rules and do two selling points here: security and usability. With Clef, you never have to remember passwords for your WordPress sites again *and* every site is protected by two-factor authentication that will keep you safe from all the brute-force breaches you’re hearing about in the news.
Are there any hosting restrictions or limitations, for example is it applicable for shared hosting customers, too?
Nope! Clef will work on any WordPress site out there (and if you have any issues, just email us at email@example.com and we’ll get the problem resolved ASAP).
How about the more technical users? What is the complete flow of Clef, do you store any sensitive information on your servers?
Clef wraps a technology called public-key cryptography. Developers have been using public-key cryptography to identify themselves for the last 20 years (every time you push code to Github or SSH into a server, you’re almost certainly using it). In our architecture, the “private keys” (the valuable credential information) are generated, encrypted, and stored on the phone — they never leave. The only things we store are the “public keys,” which are used to verify your identity, but can’t be used to impersonate you. Even if all of them were exposed, an attacker would be no closer to logging in as you. This distributed architecture eliminates all of the attacks we commonly see against passwords and makes the economics of compromising users much less viable for attackers. Rather than being able to hack a database and get millions of passwords (which they could sell for a fraction of a cent each), they’d have to target every user individually.
How safe is that second step verification process in practice, relying on a separate device?
Very. The great thing about our second-factor (the PIN) is that the only way it’s vulnerable is if an attacker already has your device. If you ever lose your phone, you can just go online and deactivate to render it useless for logging in with Clef — in the meantime, your PIN protects you from an attacker trying to impersonate you.
What are the future plans for Clef? Would you follow the freemium model, or switch to paid packages for all of your plans?
Clef will always be free for WordPress users and sites — we all love the community so much and think that it’s really important to increase the default level of security for new WordPress users. Limiting that goes against our values.
In the next year, we’re going to be expanding our platform beyond one-click installations like WordPress and into more consumer-facing login pages like the ones you use every day (think financial and health online services). We’ll be building our the necessary APIs, documentation, and developer tools to make custom integrations really easy and then working with early stage companies to offer low-cost, super usable two-factor authentication. If you’re reading this and that perks your interest, shoot me an email at firstname.lastname@example.org.
Anything else that you’d like to share with our readers?
I’m always around on twitter at @jessepollak and by email at email@example.com — if you have any questions, or need any help getting setup with Clef, don’t hesitate to reach out.