How it Works

Keyy is mobile cryptography built on RSA public-key architecture, which has been used by software engineers for over 25 years as a tried-and-tested defence against communications being spied upon.

The private digital key is created and stored on the user’s mobile phone or tablet. It requires the sun’s entire energy for a year to crack.

Logging in with Keyy

With Keyy, authentication and login is an elegant, integrated part of your app experience
Download and Open the app to your mobile phone or tablet.
Go to the site and scan the Keyy code
The two will automatically sync- and you’re logged in!

Lock and Key

Keyy, unlike the other methods, is not symmetrical- i.e. it doesn’t use two copies of the same thing. Instead, its cryptography works like a lock and key: each is useless without the other. If Keyy’s server was breached, it wouldn’t yield any data that can be used for logging in, because neither component is stored there.

Passwords are Broken

For a start, 40% of us don’t follow the expert guidelines on how to make our passwords sufficiently random and complicated. Although we know it’s wrong, we use the same password on different accounts and ‘daisy chain’ our email address and username.

This is hardly surprising. We each have an average of 26 different online accounts, and trying to memorise so many unique and difficult passwords is practically impossible.

But no matter how long, how complicated and unique your password is, it doesn’t offer any robust defence against hackers. Hackers often steal whole databases of passwords, and we’re helpless to do anything about it.


Of online accounts are guarded by duplicated passwords


Of people use at most 5 passwords for the whole of their online life


Use one of the 1,000 most common passwords


Of people say they want companies to provide an extra layer of security for their online accounts

Two-Factor Authentication is Better

Rather than depending on just one piece of information, such as a username, password pin, Two-Factor Authentication (2FA) also demands something else belonging to the user- either a physical possession (such as a USB stick, mobile phone or tablet) or a physical characteristic such as a fingerprint.

After you’ve entered your password, you usually have something like 30 seconds in which to verify your second factor of authentication, severely restricting the window of opportunity for brute force attacks.

Two-Factor Authentication is acknowledged to be a much safer alternative than the usual username and password. It’s no surprise that it’s been so widely adopted, particularly by businesses and organisations where security is paramount.

Keyy is Two-Factor Authentication at its Best

Not all kinds of Two-Factor Authentication are equal. Those that use tokens or SMS are far more vulnerable to cyberattack than Keyy, which uses public key cryptography instead. Replacing codes and passwords eliminates the twin risks of information being stolen, and the vulnerability inherent in user memory.

Comparison of Keyy

and other Two-Factor Authentication systems

Other Two-Factor Authentication
Brute Force attacks
Keylogging attacks
Server Breaches
Weak or Re-used Passwords

Brute Force Attacks

Where ‘botnet’ computers run automated software that runs password guesses, running through a list of possibilities one after the other.

Two-Factor Authentication methods are still open to brute forcing if they require a username and password login form. Although they cannot proceed further without the second factor, hackers can use the stolen username and password to launch social engineering attacks or to hack related user accounts that don’t have Two-Factor Authentication. What’s more, the one-time-password (OTP) that’s generated as the second factor of authentication is also vulnerable to being brute-forced, especially where there’s no set limit to One Time Passwords guesses.

Keyy’s cryptograph cannot be brute forced. The private key on the user’s phone is protected with a rate-limited passcode that can only be guessed from the phone itself. If the phone is lost or stolen, users can easily deactivate the code.

Server Breaches

Attackers access the stored copies of user account passwords, which are kept on a central database to verify and authenticate logins. Although these are usually ‘salted’ with algorithms and ‘hashed’ for extra protection, they’re still vulnerable to being hacked.

Even One Time Passwords are vulnerable when a server’s breached, because each unique code is generated by a ‘seed’ that’s shared between the user’s phone and the site’s server. This seed is stored in a readable format on the server, usually next to the password; both could be stolen together.

Keylogging Attack

These involve malware that tracks user activity to steal passwords or sensitive information. Some even target the master passwords of password managers.

Traditional TOTP two-factor gives some protection against this kind of attack (one-time passwords are not strictly one time, but are only valid for a short time window). But Keyy is completely safe from keylogging because it doesn’t involve any kind of typing.