The Cipherpod is not a password retention / password management device, nor does it perform public key / FIDO2 authentication. It’s job is strictly to generate strong passwords with minimal credentials that are easy for a human to provide.
Frequently Asked Questions
But passwords suck! Why would we need something else to create more passwords when we’re trying to get away from passwords?
Passwords are 1 of 5 factors of authentication (what you know, what you have, who you are, when you are, where you are). The truth is we will never be free of passwords in our lifetimes, so this product makes passwords easier for people and harder for attackers.
Does this replace multifactor authentication?
No – multifactor remains a critical element of security. After entering your password, you should be prompted on your phone or other device for confirmation (see above, what you have is part of multifactor authentication, which we still need).
So you’re saying I need to carry a device to create a password and then another device for multifactor which I already have, so this is just another device to carry around?
The answer is yes, but you either carry an enormous password in your brain or you carry a device to type it in for you. This device is a little bigger than a pad of Post-It Notes and is arguably more capable, plus password managers only work after you boot up your machine. This device makes it easier while making your password much, much stronger.
What about my password manager? It generates passwords too.
You have to be logged in to use it – password managers require an operating system. Full drive encryption is pre-boot, and logging in to your computer post-boot requires that you look up your password and then type it in, which for complex passwords can be really frustrating.
So what’s with the multifactor to generate a password?
This device uses something easy to remember (a PIN) and something you have (an RFID tag). Typing in a 4-6 digit number and swiping an RFID tag is way easier than remembering a 12-14 character complex password, especially if you have to change it regularly, and this is infinitely easier than typing a 43 character complex password for drive encryption.
This seems like overkill, my password is “MyPass123!” and it works just fine.
It works just fine now, but people only have to have their bank records or identity stolen once to not make that mistake again, so how do you feel about gambling? People need strong passwords, and once they have a strong password they still need to be able to change it again easily. Something to come up with and type out strong passwords for you, yet is easy for people to deal with – that’s what this product does.
Speaking of overkill, who needs a 23 or even 43 character password??
Individuals don’t have the same infrastructure as corporations, who use Single Sign On which is a great deal tougher than what we use at home, raising their security by orders of magnitude over the homes of the people who work for them. This device provides powerful security for those without corporate infrastructure and yet is just as easy to use. Full drive encryption and setting a password to use at the office are now both as strong and easy for the individual user.
Google, Facebook, Microsoft and others offer Single Sign On, why does anybody need an overpowered password generator?
When corporations offer Single Sign On for something like Facebook or GMail, they are in control of your credentials, and when Google for example gets their SSO infrastructure compromised, all users lose control of their data (which actually happened). SSO in an enterprise is not the same as SSO for Facebook when you’re at home. Still, you have to enter a password for their SSO solution anyway! It may as well be easy to change and trivial to remember, yet tough as nails.
This small device can’t possibly have a True Random Generator on board, it’s not really secure.
The Cipherpod is deterministic, generating the same password as long as you enter the same PIN and provide the same RFID key. As such it uses no public/private keys and has no on-board encryption, TPM or other key vault… that’s not what this device is for, so it doesn’t need a PRNG and the password it generates is based on an HMAC-512 key, so its passwords are very really secure.
There’s a problem with devices that send passwords, such as Yubikey and others – they’re too fast. When using RDP or services over a VPN, you get characters dropped. Is this device too fast?
Fast but not too fast, it’s tested and guaranteed working over VPN, Remote Desktop / RDP and other remote applications where latency is present.