Skip to content

Instantly share code, notes, and snippets.

@moreati

moreati/everykey-q-and-a.md

Created February 6, 2016 12:23
Show Gist options
  • Save moreati/de114cbea8ebba8f1d83 to your computer and use it in GitHub Desktop.
Save moreati/de114cbea8ebba8f1d83 to your computer and use it in GitHub Desktop.
Download ZIP
Some Q & A regarding EveryKey
Raw
everykey-q-and-a.md

Some Q & A regarding EveryKey.

Reformatted from the comments section of EveryKey's project on Indigogo. Questions were asked by Stephanie Bouniol (a backer), and answered by Daniel Thomas (a campaigner) in in early January 2016.

  1. is there a way to keep some short PINs or full password in addition to everykey (multifactor) at least for some entries? (like my online banking)

Multifactor authentication is not something that we have planned for the initial release of the Everykey application and browser extensions, but it is something we are looking to add to a later release.

  1. why can’t I store the passwords simply on my PC or android devices instead of a cloud?

The password to your PC or Android is stored only on that device (if necessary, the means of bypassing passwords varies across OSes). However, for online accounts we store the passwords on our secure servers in order to allow synchronization across devices. Otherwise you will not have centralized access to all of your online accounts.For example, some of your online accounts could be stored on your laptop while others are stored on a desktop you keep at home.

  1. how do you securely update your tokens? (are you relying on an RSA signed key (what size?) or does each key comes preloaded with random OTPs).

Each Everykey has a unique secret that along with the user’s secret is used to create a 128 bit encryption key.We use the Diffie-Hellman secure key-exchange method to get the key to both the application and Everykey device without ever broadcasting the 128 bit key directly.

  1. why do you need an indiegogo in addition to kickstarter?

We have launched an Indiegogo campaign in addition to our Kickstarter campaign in order to raise awareness for our product by reaching a wider audience and continue to raise sales to help make Everykey a reality.

  1. will you open source your software stack to ensure no backdoors?

We may open source parts of our upcoming Everykey application for Linux, but we do not have plans to open source any of the other applications.

  1. under which legal jurisdiction are your vaults located? (US? UK?)

The secure server storage is located in the US.

  1. can I still use the key to unlock my PC and web sites password without internet access (for instance internal websites on LAN only)? → which would implie having a local copy of the keys (as opposed to a cloud only solution)

You will be able to unlock your devices (PC, Android, etc.) without Internet access. You will need Internet access to login to your online accounts with Everykey, even websites hosted on a local network.

  1. do you plan to integrate everykey with major standard products (keepass, roboform, OpenID, Authy,…)

We are interested in integrating our service with others, but are not publicly announcing any partnerships at this time.

  1. Do you have a max retries timeout limit to prevent someone to constantly probe everykey and kill the battery or DOS the device?

In its standard mode, the Everykey only sends packets and does not listen for any, so A DOS attack would be ineffective at killing the battery or interfering with the service.

  1. tecnically speaking, if someone get his everykey and doesn’t realize it for a few hours (gym locker break), what is preventing the Charlie from accessing each and every accounts associated with that user, change all the passwords to CharlieBitme, then empty bank accounts etc…

The Everykey itself is just an authentication device and does not store any passwords. In order for a thief to make use of it, they will have to have also stolen your PC or smartphone. If they attempted to use it from a computer that was not paired with your Everykey then they would have to download the application for that device and login with your Everykey account credentials (The Everykey alone is not enough) to access your online account passwords. Everykey is a lot like a normal house or car key and just like one should not store their car key inside of their car or their house key under the welcome mat, it is advisable to not store an Everykey with a phone or laptop that it is paired to. Good security relies on common sense.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment