When you think of online security, hopefully by now two-factor authentication springs to mind. WIRED certainly pushes the feature every chance we get. And for good reason! It’s a solid protection against common web attacks like phishing and credential stuffing. But when Chris Coyne and Max Krohn, who previously cofounded OKCupid, launched their own digital identity and encrypted chat platform in 2014, they decided against using 2FA at all. Which is less radical than it sounds.
Keybase is open source and audited by (paid) third-parties, but users and two-factor authentication advocates often ding the company for not offering 2FA. Keybase says, though, that conventional two-factor wouldn’t protect Keybase accounts in the way you might think. And if you look closely, you’ll notice that many similarly sensitive products, like password managers or secure messaging apps like Signal, often don’t offer conventional two-factor either.
“The two-factor authentication people usually talk about just doesn’t make sense with the model of how Keybase works,” says Max Krohn, cofounder and CEO of Keybase.
Two-Factor or Not Two-Factor
Two-factor authentication is a specific tool with a lot of important uses, but it’s not a one-size-fits-all solution to every data security issue. “People have misconceptions of how 2FA works in the context of encryption or things like password vaults,” says Maximilian Golla, a researcher at the Max Planck Institute for Cyber Security and Privacy in Germany. “If this tells us anything it’s that the topic is rather complicated. I don’t expect most people to automatically understand what’s going on here.”
You probably intuitively know how most web services are set up. Data typically lives on an internet-connected server that you access through a web browser. If it’s sensitive data, a password protects it so that only authorized people can access it, but they can still pull it up on the go. The magic of the internet!
When you provide those login credentials to a server you are “authenticating” yourself, essentially saying “It is I! A person who is allowed to access this data.” The server checks the password you provide against the password it has on record next to your name—like a bouncer at an exclusive club—and if they match, you’re good.
“There are special cases where it offers much less security than implied.”
Jeffrey Goldberg, AgilBits
You almost certainly know from experience that this system is very flawed. It’s hard to store a lot of passwords in your head, so you choose things that are easy to remember, or use the same password again and again. (Don’t do that.) And if someone can steal or guess your password—pretty easy when you reuse one, or set it as your birthday and pet’s name—they can use it to log into places as you. Which is bad.
So over the years a solution has evolved: a second level of authentication after the password. And by the time the idea took hold, a lot had changed in the digital world. Namely, smartphones. So the two factors of web authentication became “something you know,” your password, and “something you have,” a phone that gives you a numeric code from a text message or a code-generating app.
This authentication setup still has problems—for example, you can still be tricked into handing over both your password and your two-factor code to clever phishers—but overall it’s a huge improvement. It’s just not the only improvement. The rise of smartphones and other technological advances have also made it possible to fundamentally set up web services differently, allowing people to move past the old concept of passwords and two-factor altogether. Instead of being on the bouncer’s list at the club, all you need to know is how to throw a good house party.
Keybase is end-to-end encrypted, meaning that data is only ever understandable at either end of an interaction, like the two smartphones in a messaging thread. The rest of the time, whether the data is in transit across the web or sitting on Keybase’s servers, no one—including Keybase—can read it. (Some encrypted platforms, like Signal, go a step further by not storing data at all.) Instead, you need the ability to decrypt data locally on your devices. That’s the house party.