The password as a digital authenticator is under more strain than ever. But is the answer to memorizing multiple complex secure passwords to rely on proximity and a physical wristband for logging in to devices and websites? The U.S.-based makers of a device called Everykey believe so.
They’re currently Kickstarting their wearable, looking to raise $100,000 to turn a prototype Bluetooth-powered authentication wristband into shipping product by March next year.
They’re not the only ones eyeing up the security potential of wearables either, with Apple’s forthcoming Watch apparently relying on a biometric heart rate for authentication when using its NFC-powered Apple Pay function. And Toronto-based startup Nymi also working on a heart-wave sensing authentication wearable. (We saw a demo of their wristband back in April.)
Everykey is following a similar wearable route to Nymi, with a basic wristband that has a single security-focused purpose, but is not bothering with any biometrics, which does mean you’re putting your passwords in a single unsecured physical basket (i.e. a form that can be stolen and used by someone else to log into your stuff).
Why is it avoiding any biometric component? Everykey CEO Chris Wentz expresses scepticism about acquiring accurate electrocardiogram data — as Nymi aims to do — via a single wearable point, i.e. rather than having multiple electrodes on the body. Hence Everykey staying away from biometrics.
It’s also aiming to undercut Nymi on price — given that there’s less sensor kit required inside its wristband it can offer the wearable at a lower price point. The Everykey is up for pre-order via Kickstarter for $50, vs Nymi costing $79. It also offers better battery life, of up to a month.
Wentz says it is expending effort on making it’s wristband look a bit more #FASHION than the average generic plastic bangle. Although, to my eye, there’s not a huge amount in it…
What about the inherent insecurity of putting physical passwords in an easily stealable form? “You can disable your Everykey at any time just like a credit card by calling us or deactivating it through our website,” was Wentz’s response. So this is absolutely a trade off between convenience and security.
But, given how troublesome passwords are becoming, it may be a trade-off some people are willing to make. The problem of too simplistic passwords is huge and growing, with hackers data-mining leaked repositories of passwords to get better at guessing the words humans use to try to secure their digital stuff.
If a password is simple enough to be memorable, chances are it’s hackable. But more complex passwords are also starting to be cracked as hackers train their systems on leaked password data to get better at brute forcing our 0p3n s3s4m3s.
Password manager software, such as LastPass or PasswordBox, is one answer to this growing password-generated security gap. Everykey’s wearable device, which uses proximity and Bluetooth to work with a range of devices as well as websites, is another — although the wearable won’t support authenticating mobile apps unless developers integrate Everykey’s SDK. So it’s not a case of one ‘wrist-ring’ to unlock them all.
The Everykey wearable does not store any passwords itself, acting purely as an authenticator, via an encrypted signal sent over Bluetooth 4.0 when the wristband is within a customisable range to the Bluetooth device you are using. Device passwords are stored on the devices themselves in keychains, while website passwords are encrypted and stored on Everykey’s servers.
The use of Bluetooth 4.0 limits which devices it can unlock, unless you add a Bluetooth dongle to older hardware. While iOS unlocking will only work for jailbroken devices. For PC users, Everykey is also only compatible with Windows 8.1+; older versions of Windows aren’t supported, so again that’s a limit to its usefulness.
What about website compatibility? “Every website I’ve tried Everykey on has worked with Everykey. Our algorithm for identifying a login field is pretty well refined and while we can’t guarantee that it will work with all websites, it’s very reliable and works on all the top websites (Facebook, Gmail, Twitter, etc) as well as every other website we’ve tried it on,” says Wentz.
“In terms of the devices themselves, Android, iOS, Windows, Mac OS, and Linux are all supported — keeping in mind that iOS requires a jailbreak for the device unlock itself,” he adds.
There is apparently no limit on the number of close-by devices that can be authenticated via the wristband — a tech it has filed a patent on. However it’s still working on ways to support logins to websites where a user has multiple accounts, so might want to specify which account to log in to. Managing multiple Everykeys owned and used in close proximity to each other also sounds like it will require some additional thought to avoid the wrong user being logged in.
To set up Everykey for unlocking supported devices entails downloading an Everykey app, then pairing it with the wristband (pushing a button on the device to activate pairing mode) — and then typing in a unique code printed on the back.
When logging into a website for the first time Everykey automatically encrypts and store your username and password for that website, via a browser extension (once you’ve installed its software). The companion software can also be used to generate a complex password, as other password manager software offerings do, if you don’t want to come up with a tough enough string yourself.
Everykey looks to be — at best — a partial fix to a messy problem, and one that evidently prioritizes fashionable convenience over security.
Adding a two-factor authentication feature that loops in the proximity of the mobile user’s phone to bolster security would be a welcome addition but isn’t currently offered. “Two factor authentication is something we’re interested in, it’s not yet a feature but may become one if there’s enough demand,” says Everykey, responding to comments on its Kickstarter campaign.
With caveats like these it’s clear Everykey won’t be for everyone. But it’s managed to pull in close to half its $100,000 funding goal thus far, still with almost two weeks left on the clock, so this wearable password manager may yet fly. If its makers get their prototype to market, how smoothly it flies and how far it travels remains to be seen.