Clef Two Factor Authentication is Shutting Down
This morning, two-factor authentication plugin Clef, also known as GetClef, announced that they are shutting down. They currently have more than 1 million active WordPress websites using their two-factor authentication plugin.
According to the announcement on their blog, their team will be joining another company and they will provide more info in the coming weeks. At this point we don’t have any more detail on who Clef is joining and under what circumstances.
Clef will continue operating for another three months, starting today. Their final shutdown date is June 6th, at which point their apps will be removed from the Google Play and Apple App stores.
Clef have been kind enough to recommend their users transition to Wordfence. They have written a guide to help ease the transition. Wordfence Premium supports traditional SMS based cellphone sign-in along with two factor using Google Authenticator.
Wordfence currently has over 40,000 customers who also use Clef. If you fall into that group, we recommend you disable and remove the Clef plugin and switch to using Wordfence two-factor authentication. You may need to upgrade to Premium to do this if you aren’t already a Wordfence Premium customer.
If you are one of the 1 million+ websites who use Clef and don’t currently have Wordfence installed, we recommend you install Wordfence and upgrade to Premium, which will provide you with SMS based two-factor authentication along with the ability to use the Google Authenticator app if you prefer that.
This announcement caught many of us by surprise. The entire Wordfence team wishes the Clef team well as they join another company and we look forward to learning more about their future projects.
Comments
12:44 pm
This caught me and I'm sure, many others by complete surprise; blind-sided I might say. The fact that the app was free was great for non-profits such as I perform work for. Even a small fee like $25 a year would have been acceptable.
Any chance Wordfence would buy out Clef? It is an easier service than the standard two-factor apps as many clients resist getting text messages or using something like the Google authenticator.
12:47 pm
Hi Ed,
My guess is they just got bought by someone - possibly in the Bay area. So I don't think they're on the market.
Mark.
12:47 pm
No! (verbosely extended, down on your knees, arms in the air, dramatized version)
I truly loved their authentication factor! Holding those squiggly (or bouncy) bars on my phone up to the screen simply gave me the warmest, fuzziest feeling inside, like my site was secure in mothers arms.
Albeit, I am one of the 40k who had both, and have always appreciated WordFence and the security they provide also, which I suppose is like a father with a baseball bat in keeping with the same analogy, there's nothing like being in your mothers arms :), am I right?
Hehe, a little joking there but I did have clef first and am just in awe, shock, and bewildered that this is happening, seemingly out of no where. It was just those unique lines on my phone, looking at the PC screen that just truly nailed the secure log-on feeling.
As-in, preventing the "theft" before it happens as opposed to cleaning up the mess and dealing with the insurance company who has you covered; that was the FEELING not the reality, I'm aware, I've been supremely impressed with your work over there Mark and do love and appreciate these updates. I suppose it's just the shock of this announcement has me somewhat lost!
I loved having both, truly, but rest assured I am 100% confident that WordFence will secure my future, just as it has in the past and will only cost minimally to have the same feeling, while also keeping it in the family!
1:13 pm
Wordfence Premium supports traditional SMS based cellphone sign-in along with two factor using Google Authenticator.
Just to let others know that there are alternatives, I use Microsoft's Authenticator instead of Google's with Wordfence.
Mark, it's fun watching your company succeed and grow. GetClef made a wise choice in recommending your company.
1:19 pm
Thanks Kevin.
4:19 pm
*PLEASE* dont use SMS as MFA. NIST has recommended against it, and may move the recommendation to be completely deprecated as it is insecure.
Here is the NIST draft
https://pages.nist.gov/800-63-3/sp800-63b.html
10:42 pm
The quote: "Note: Out-of-band authentication using the PSTN (SMS or voice) is discouraged and is being considered for removal in future editions of this guideline."
Implementing two factor using SMS is a huge improvement on security. It's incredibly unlikely a WordPress site is going to be targeted by someone with the capability and motivation to sniff SMS off the airwaves in order to capture a 2-factor token. However, using an authenticator app with end-to-end encryption is more secure than SMS because the phone system is using legacy protocols that make it vulnerable.
Thanks for posting John.
12:52 pm
The much more likely scenario for SMS 2FA is that social engineering is used to transfer an account and phone number to the attacker allowing them to receive the text messages than to intercept the SMS messages. There at quite a few examples of this out there on various media outlets and blogs, it isn't just a hypothetical situation. While it is a targeted attack and not likely it is still possible and when Google Authenticator or another means of 2FA is possible that should be used.
8:55 am
The real issue with SMS is not that the attack is performed by sniffing the SMS airwaves but by someone hijacking the SMS account at the phone provider/SIM card level. There has been a number of these attacks documented and demonstrated on the BBC radio here in the UK against banking customers. Using an app like Google Authenticator is way better.
9:36 am
I'd love to know the detailed steps to use Microsoft Authenticator with WordPress and Wordfence. TIA.
5:51 pm
I don't want to discourage anyone from using Wordfence for2f authentication but I don't use it because I was unaware that you added the ability to use the Google Authenticator and when I tried your SMS based authentication I found it very difficult to use. You can also use Wordpress.com for 2f authentication and there are also many free plugins that use Google Authenticator.
9:45 am
I wrote my post yesterday in a whirlpool of confusion, illness, and lack of sleep (flu with a 6 month old is just the best, I'd highly recommend it to anyone); as such I'm not too thrilled at it's message and want to make a different case here.
The benefit of Clef wasn't just the 2F Auth. The truly advantageous aspect of their plug-in was what became the utter ease of the log-in process. With a smart phone with Finger ID, logging into my site(s) became a breeze.
It was as simple as: open the browser, click the bookmark to login screen, clef immediately started "bouncing" there, pick up iPhone, thumb to unlock, open the Clef App, thumb to gain access to Clef App, done. No typing, no passwords, no texts.
This is my real point here. The lack of needing to remember another password (or several depending on what you do, say help others with their WordPress sites). The ease of getting into the site. The security knowing someone would need part of my body to get into my site unwarranted. It really was the epitome of "boom, boom, boom;" simple, secure, quick and effective! Not to mention aesthetically pleasing and somewhat fun to boot.
In the coming weeks (perhaps months) I hope to find a similar solution that poignantly matches my main points above:
>> no passwords, ability to use finger ID, secure, quick, and simple <<
I also offer this as advice to you guys at WordFence, should you ever choose to delve further into this realm of the security sector & take David's (et al.) advice of moving away from the SMS sphere / Google Auth.!
3:44 am
I am shocked no one else uses clef for the reason I do...
to completely remove the username and password fields.
Brute force attacks seriously hurt my bandwidth.
I need a way to login without a possibility of brute force attacks.
Clef provided me with this solution and no other 2 factor authentication does.
The problem is not getting hacked, the problem is the attacks killing my website load times.
The best solution for me would be jetpack login + removal of the username and password option completely.
Can someone help me find this type of solution?
7:51 am
Clef discontinuing the service and Sucuri bought by GoDaddy: if Wordfence comes up with a "clef-like" security system for their premium clients, I bet they would gain a consistent number of new customers.
12:10 pm
Come on folks - seems pretty clear that this site - Wordsfence - is the one who either bought Clef or bought out their owners. Why would the Clef folks "suggest" their users go to Wordfence - it's obvious...
1:08 pm
Clef was bought by Twilio.
https://blog.getclef.com/clef-is-joining-twilio-47b936cafd2e