Passwords are broken

For a start, 40% of us don’t follow the expert guidelines on how to make our passwords sufficiently random and complicated. Although we know it’s wrong, we use the same password on different accounts and ‘daisy chain’ our email address and username. 

This is hardly surprising. We each have an average of 26 different online accounts, and trying to memorise so many unique and difficult passwords is practically impossible.

But no matter how long, how complicated and unique your password is, it doesn’t offer any robust defence against hackers.  Hackers often steal whole databases of passwords, and we’re helpless to do anything about it.

Two-Factor Authentication is better

Rather than depending on just one piece of information, such as a username, password pin, 2-Factor authentication (2FA) also demands something else belonging to the user- either a physical possession (such as a USB stick or mobile phone) or a physical characteristic such as a fingerprint.

After you’ve entered your password, you usually have something like 30 seconds in which to verify your second factor of authentication, severely restricting the window of opportunity for brute force attacks.

2FA is acknowledged to be a much safer alternative than the usual username and password. It’s no surprise that it’s been so widely adopted, particularly by businesses and organisations where security is paramount.

Keyy is 2FA is the best

Not all kinds of 2FA are equal. Those that use tokens or SMS are far more vulnerable to cyberattack than Keyy, which uses public key cryptography instead. Replacing codes and passwords eliminates the twin risks of information being stolen, and the vulnerability inherent in user memory.

Keyy defends against:

Brute Force attacks: where ‘botnet’ computers run automated software that makes billions of guesses per second to decode encrypted data.  

2FA methods are still open to brute forcing if they require a username and password login form. Although they cannot proceed further without the second factor, hackers can use the stolen username and password to launch social engineering attacks or to hack related user accounts without 2FA.  What’s more, the one-time-password (OTP) that’s generated as the second factor of authentication is also vulnerable to being brute-forced, especially where there’s no set limit to OTP guesses.

Keyy’s cryptograph cannot be brute forced. The private key on the user’s phone is protected with a 4-digit rate-limited pin that can only be guessed from the phone itself. If the phone is lost or stolen, users can easily deactivate the code.

Keylogging/ shoulder surfing attacks: keylogging involves using malware to tracks everything a user types in order to steal passwords, sensitive information or even the master passwords stored by password managers. With shoulder surfing, hackers steal these things through direct observation, looking over the user’s shoulder unnoticed.

Keyy’s login defends against keylogging and shoulder surfing because it doesn’t involve any kind of typing. And hackers can’t resubmit a password once the user is logged in. 

Phishing attacks: this is where hackers attempt to elicit sensitive information by masquerading as a legitimate enterprise.

Without passwords, Keyy is invulnerable to phishing. It also identifies the user location through confirmation redirection, providing a further obstacle to hackers. 

What happens when the user’s phone is lost or stolen?

Most two-factor authentication that uses mobile phones falls down when these become lost or stolen. Most email clients keep users logged in, so attackers can simply use the stolen phone to generate OTPs and gain access to users’ account. Although many 2FAs that use OTPs require users to keep a long backup code for each different website to prevent such attacks, keeping these safe and accessing them quickly isn’t easy.

Keyy allows for remote deactivation from the Keyy website, preventing such attacks and keeping users secure.