How it Works
Keyy is mobile cryptography built on RSA public-key architecture, which has been used by software engineers for over 25 years as a tried-and-tested defence against communications being spied upon.
The private digital key is created and stored on the user’s mobile phone or tablet. It requires the sun’s entire energy for a year to crack.
Logging in with Keyy
Keyy, unlike the other methods, is not symmetrical- i.e. it doesn’t use two copies of the same thing. Instead, its cryptography works like a lock and key: each is useless without the other. If Keyy’s server was breached, it wouldn’t yield any data that can be used for logging in, because neither component is stored there.
Passwords are Broken
This is hardly surprising. We each have an average of 26 different online accounts, and trying to memorise so many unique and difficult passwords is practically impossible.
But no matter how long, how complicated and unique your password is, it doesn’t offer any robust defence against hackers. Hackers often steal whole databases of passwords, and we’re helpless to do anything about it.
Two-Factor Authentication is Better
After you’ve entered your password, you usually have something like 30 seconds in which to verify your second factor of authentication, severely restricting the window of opportunity for brute force attacks.
Two-Factor Authentication is acknowledged to be a much safer alternative than the usual username and password. It’s no surprise that it’s been so widely adopted, particularly by businesses and organisations where security is paramount.
Keyy is Two-Factor Authentication at its Best
Comparison of Keyy
and other Two-Factor Authentication systems
|Other Two-Factor Authentication
|Brute Force attacks
|Weak or Re-used Passwords
Where ‘botnet’ computers run automated software that runs password guesses, running through a list of possibilities one after the other.
Two-Factor Authentication methods are still open to brute forcing if they require a username and password login form. Although they cannot proceed further without the second factor, hackers can use the stolen username and password to launch social engineering attacks or to hack related user accounts that don’t have Two-Factor Authentication. What’s more, the one-time-password (OTP) that’s generated as the second factor of authentication is also vulnerable to being brute-forced, especially where there’s no set limit to One Time Passwords guesses.
Keyy’s cryptograph cannot be brute forced. The private key on the user’s phone is protected with a rate-limited passcode that can only be guessed from the phone itself. If the phone is lost or stolen, users can easily deactivate the code.
Attackers access the stored copies of user account passwords, which are kept on a central database to verify and authenticate logins. Although these are usually ‘salted’ with algorithms and ‘hashed’ for extra protection, they’re still vulnerable to being hacked.
Even One Time Passwords are vulnerable when a server’s breached, because each unique code is generated by a ‘seed’ that’s shared between the user’s phone and the site’s server. This seed is stored in a readable format on the server, usually next to the password; both could be stolen together.
These involve malware that tracks user activity to steal passwords or sensitive information. Some even target the master passwords of password managers.
Traditional TOTP two-factor gives some protection against this kind of attack (one-time passwords are not strictly one time, but are only valid for a short time window). But Keyy is completely safe from keylogging because it doesn’t involve any kind of typing.