LaunchKey Blog

New Biometric Facial Scan in LaunchKey Mobile

Posted 2014-08-04 by Geoff

In May, we added support for biometric fingerprint authentication to LaunchKey Mobile on supported devices. Today, we're excited to announce the release of another new biometric authentication factor: facial scan.

With this new inherence factor of authentication, you can authenticate with the biometric signature of your unique face. Instead of swiping the LaunchKey slider upwards to authorize an authentication request through LaunchKey Mobile, you'll utilize the front-facing camera on your mobile device to scan and authenticate your face.

Now that we've added facial recognition to LaunchKey Mobile, you'll automatically be able to extend this powerful authentication to any LaunchKey-supported system. With LaunchKey's WordPress plugin for example, LaunchKey becomes the first plugin to bring biometric facial recognition to WordPress. Check out our docs section to see what other systems LaunchKey integrates with or utilize our REST API to make your own integration.

Facial Scan is currently available on all supported iOS and Android mobile devices. To setup Facial Scan, enable it within your control panel inside LaunchKey Mobile. And don't worry about the sensitive nature of your biometric data -- as with all authentication data used by LaunchKey, your biometric data is encrypted and stored locally on your device and not on LaunchKey servers.

Rivetz Corp. Partners with LaunchKey

Posted 2014-07-31 by Geoff

Did you know most modern computing devices like PCs, smartphones, and tablets come with special cryptoprocessors or "crypto chips" made specifically for the secure operation and storage of cryptographic data? This special hardware provides more security for cryptographic functionality by segregating the cryptographic operations and data from the standard operating environment.

Unfortunately, many developers and organizations are either unaware of this trusted execution technology or they lack the technical means to integrate with it. Fortunately, our friends at Rivetz are developing the infrastructure and tools to make leveraging these crypto chips easier and more accessible.

Today, Rivetz Corp. has announced a partnership with LaunchKey to provide a combined solution that offers a simple and secure way to utilize hardware protected multi-factor authentication with online services and applications. We're very excited to be working with Rivetz and we look forward to offering our combined solution in the near future. Stay tuned!

Read the full release here.

New Admin Features: Force Auth Factors, Security Fencing

Posted 2014-07-17 by Geoff

In June, we quietly released a couple of administrative security features that give developers and organizations more control over how their end users interact with their LaunchKey-secured applications. We've made these premium features publicly available to all developers while we test them in the wild, and we'd love your feedback.

Force Authentication Factors

One of our objectives at LaunchKey is to put more power in the hands of end users to protect themselves with additional security by optionally enabling multiple factors of authentication on their mobile device. If an end user deems it necessary, they can enable any of the knowledge, possession, or inherence factors of authentication available within LaunchKey Mobile such as geofencing, the combo lock, Bluetooth device factor, and others.

However, sometimes an organization or application has such stringent security needs that they must ensure their end users (e.g. employees or customers) utilize a minimum level of security. For these use cases, we now provide the ability to force the use of specific authentication factors, type of factors, or amount of factors, from the API side.

To utilize this premium feature, log in to Dashboard, select the developer application you would like to enable this on, and click on the Security tab.

Security Fencing

A security fence allows a developer or administrator to set constraints or rules (the "fence") that an end user must comply with in order to authenticate. With this update, multiple fences can be applied to an application on an app by app basis.

With a geo-fence, an application can limit its end users to within a specified distance from a given geographical point. A real-world example may be an organization restricting access to internal employee systems by placing a geo-fence around their corporate headquarters or an application developer using geofencing around her home.

A time-fence works like a geo-fence, but instead of constraining end users to a specific geographic area, end users are constrained to a specific period of time (or multiple periods of time).

To utilize this premium feature, log in to Dashboard, select the developer application you would like to enable this on, and click on the Security tab.

Fingerprint Authentication

Posted 2014-05-06 by Devin

We are excited to announce that LaunchKey for Android has been updated to support the Samsung finger scanner. This feature is currently available on the Samsung Galaxy S5, allowing anyone with this device to take advantage of password free logins secured by their fingerprint.

Starting today you can log in with your fingerprint to any site that has integrated LaunchKey. This includes WordPress sites, any site that supports OpenID (StackExchange, etc) and any additional LaunchKey integration. Developers and site owners can integrate LaunchKey today for free to enable fingerprint authentication.

To get started, simply update or download the LaunchKey for Android application and enable the Finger Scan feature. Any time a request comes in, your fingerprint will now be required to complete the login process.

View of LaunchKey Android Finger Scan View of LaunchKey Android Fingerprint Request

This is the first step LaunchKey has taken into biometrics as a factor of authentication. We applaud Samsung for opening this feature up to developers and we hope additional manufacturers take notice. We will continue to leverage all hardware, devices and features available that enable LaunchKey to build a strong multi-factor platform for our users.

If you have any questions or comments regarding this feature, please contact us!

LaunchKey and Heartbleed

Posted 2014-04-25 by Devin

It has been a little more than two weeks since the SSL/TLS bug known as Heartbleed hit. LaunchKey systems utilize OpenSSL and were patched immediately after a fix was available. This was important as our systems were updated before any proof of concept code was public and well before it was even proven that certificates and keys could be obtained. After our forensic analysis, there is very little evidence that this bug was ever used against LaunchKey systems. However, as a precaution we've had to update our SSL certificates and keys. We also terminated all active sessions at the time (Monday April 7), requiring re-authentication as a precaution.

LaunchKey authentication itself was not affected by Heartbleed. In fact, while everyone needs to reset their passwords (and OTP tokens) at sites affected by Heartbleed, LaunchKey mobile users can rest easy knowing their secure credentials remain decentralized on one's mobile device.

LaunchKey is encouraging developers to update their LaunchKey API keys. Again this is a precaution, but we will be disabling applications that do not have new keys in the near future. To get new keys, simply log in to LaunchKey Dashboard.

This update process took us longer than we liked because we use a security practice known as SSL pinning to ensure that our mobile applications are only communicating with LaunchKey servers. Both iOS and Android applications had to be updated and approved (iOS) to communicate with our new certificates. These updates have been available for more than a week now, and we are confident our users have had a chance to update their applications.

Where Did We Stand Before Heartbleed

The LaunchKey SSL setup is routinely audited and updated as necessary. For more than a year LaunchKey has utilized HTTP Strict Transport Security (HSTS) and Perfect Forward Secrecy (PFS) in our implementation. Having PFS enabled prior to this bug was vitally important, as every SSL/TLS session could not be cracked by simply having the master certificate/key to all of the previous traffic.

Where Do We Go From Here

In order to immediately respond to a similar situation in the future we have implemented improvements to our mobile SSL pinning. In the future revoking a certificate, even if a new key is required will be quick and seamless for all parties without a mobile update needed.

If you are a LaunchKey user or developer and have any questions regarding Heartbleed, please do not hesitate to contact us!

LaunchKey Now Available For Windows Phone Users And Developers

Posted 2013-12-20 by Geoff

View of LaunchKey Windows Phone app on Lumia 920

One of our priorities at LaunchKey is expanding our platform support in our effort to make LaunchKey truly ubiquitous. Today, I'm happy to announce LaunchKey is now available on Windows Phone through the Windows Phone app store. Just like our native iOS and Android apps, this app allows end users to respond to launch requests through their smartphone with optional authentication factors like geofencing or Bluetooth available for elite security.

Additionally, we've also released a Windows Phone OAuth SDK and native SDK for developers along with example Windows Phone apps on GitHub. As always, we encourage the white hat community to review our products and services for eligible security vulnerabilities as your responsible disclosure may be worth a bug bounty.

Happy Holidays!

Enterprise Software Security Management Infographic

Posted 2013-12-13

LaunchKey was recently featured in an infographic created by our friends at Veracode. This company is the creator of the world's leading application risk management platform. What's our affiliation with Veracode? We earned VerAfied status, offered exclusively by Veracode, earlier this year. The VerAfied status validates that we have met or exceeded industry standards for security, reliability and compliance for our anonymous multi-factor authentication platform. As you know, we take security very seriously and we are committed to developing secure applications. Take a look below.

Veracode Enterprise Software Security Management Infographic

More Proof Passwords Fail to Protect Critical Information

Posted 2013-11-25

In early October, Adobe was hit by a massive cyber attack. This well-orchestrated breach appears to have impacted more than 150 million users worldwide.

The attack is a harsh reminder that passwords fail to protect personal information and corporate data. Passwords no longer provide the security and anonymity required to protect business and personal information. But if you're reading this, you knew that already.

The slightest vulnerability in the authentication process can result in improper access, data theft, loss of intellectual property and data manipulation. As hackers get smarter, and the sheer number and combination of passwords grow, these attacks progressively increase in scope and frequency. The point is, the longer we choose to use passwords as a society, the easier we are making it for hackers to exploit and plunder the web and other sensitive systems for our personal information.

While security breaches are frustrating and inconvenient for consumers, they can spell disaster for an organization. A recent study by the Ponemon Institute revealed the average loss for companies with one or more breach is approximately $9.4 million. And as we store more password "protected" data online, this cost is going to rise, and quickly.

Every organization is at risk and the same scenario Adobe is grappling with could easily happen to companies in the healthcare, retail, banking, legal, media and entertainment industries. Any industry with reliance upon user authentication (hint: everyone) is vulnerable.

In the world of cyber security, businesses and individuals need to stay several steps ahead of the hacker methodologies. We have to think differently. This means dumping passwords and moving to a passwordless authentication world. Not an easy task, but we're up to the challenge.

In Honor of Movember, Introducing Share Stash

Posted 2013-11-13 by Yo

Screenshot of Share Stash

LaunchKey originally stemmed from an idea at Startup Weekend in mid 2012 involving multi-person authentication. Some uses would be sharing content with someone else that should only be accessed with that other person present, or multiple people being able to sign off on a single transaction. We thought it was similar to the often-depicted "Two Man Rule" used when launching nuclear missiles with two separate launch keys, thus came the name, LaunchKey. Today, we call this feature group authentication.

In a fun little side project in honor of Movember, a movement during the month of November to increase awareness for men's health, we've built Share Stash. True to the original idea, it allows multiple people to authenticate, in this case to a shared "stash" of images. Using a technology called TogetherJS from Mozilla, two separate users are able to share a single browser session. Once both log in with their LaunchKey credentials, they'll be brought to a stash that is shared only by them. There is no need to create accounts, every combination of LaunchKey users has their own unique stash.

Share Stash is a great example of LaunchKey's unique capability to secure data with multiple individuals, and yet another example of how flexible the LaunchKey platform can be. Please check it out and let us know what you think!

LaunchKey Exceeds Praetorian's Information Security Best Practices

Posted 2013-11-07

Praetorian audits LaunchKey, awards A rating

LaunchKey has once again proven its commitment to developing secure applications for enterprise partners, developers and individuals. Praetorian, a leading information security provider, has found the LaunchKey platform exceeds information security best practices as determined by the company's well-respected security assessment.

Following their comprehensive methodology, Praetorian conducted a thorough review of the LaunchKey web and mobile applications, along with the supporting network infrastructure, for a set period of time. During the assessment we also demonstrated our ability to actively identify and remediate application vulnerabilities, earning high praise from the Praetorian assessment team.

LaunchKey is dedicated to ongoing, proactive security testing as we continue to expose the vulnerabilities inherent in passwords and revolutionize the way companies and individuals gain access to online information and content. Protecting the privacy and security of users and organizations is paramount.

Praetorian Vice President of Marketing Paul West Jauregui commented:

"The LaunchKey team demonstrated a solid understanding of security. They recognize the importance of security and quickly took steps to remediate issues identified during the initial Praetorian assessment, resolving some of the issues while testing was still underway."

LaunchKey Powers Local Motors' Keyless Control Project

Posted 2013-10-16 by Geoff

LaunchKey is partnering with Local Motors

Our newest partnership is pretty fast and cool. We’re working with the folks at Local Motors in Las Vegas to power their Keyless Control Project. Local Motors is the world’s leading open-source hardware company best known for designing, manufacturing and selling crowd-sourced production vehicles.

Here’s how it works: Most private cars are unlocked and started with a single key – a simple possession factor for authentication. You have a key. It opens your car, unlatches your hatch and starts your car. That’s great. But what’s incredible about this partnership is that through Local Motors and LaunchKey’s multi-factor authentication technology, you will have a secure and convenient keyless access to your car and its controls through your smartphone.

Local Motors’ Keyless Control Project is just the first phase of our partnership. We are also working on authentication solutions to provide remote, programmable and secure car systems to further enhance driver experience, safety and security. It’s a game changer to say the least.

Here’s what Local Motors Chief Strategy Officer Justin Fishkin had to say about LaunchKey:

“LaunchKey’s innovative solutions are an ideal match for the inspired design and rapid development provided by our global community. They will be a valuable partner as we continue to bring the world’s most innovative vehicular products to market.”

LaunchKey is also collaborating with Project 100, a Las Vegas-based complete transportation system designed to let community members get rid of their car and be more connected to their neighborhood. This project is focused on getting people out and about and truly living, working and playing in their community without being tethered to their cars. This is a truly amazing endeavor that the world will be watching. In 2014, Project 100 will enter into an invite-only beta program. Stay tuned.

LaunchKey Achieves VerAfied Status

Posted 2013-09-17 by Geoff

Veracode VerAfied Seal - July 2013

I'm proud to announce that LaunchKey has earned VerAfied status for our multi-factor authentication application. The certification validates that we have met or exceeded industry standards for security, reliability and compliance, actively identifying and remediating application vulnerabilities to provide our users with one of the highest levels of software assurance and security verification. The VerAfied status is offered by Veracode, creator of the world's leading Application Risk Management Platform.

The enterprise market is looking to LaunchKey to become the authentication tool of choice, and it's our mission to kill passwords, evolve user authentication, and create an anonymous and secure online experience through our application. The VerAfied mark further demonstrates our commitment to developing secure applications for individuals, developers and enterprise partners alike.

Here's what Veracode had to say about LaunchKey:

"We are finding that CIOs and CSOs are asking their purchasing teams to take security into consideration when procuring new applications. For this reason, it is important that software vendors find a way to demonstrate their software is built using secure development practices," said Chris Wysopal, co-founder and CTO of Veracode. "The VerAfied mark tells the world that LaunchKey is testing for application vulnerabilities and complying with industry standards. But, more importantly, it lets their customers know LaunchKey is a vendor they can trust to keep their data secure."

Killing Passwords with Anonymous Authentication

Posted 2013-09-09 by Geoff

At LaunchKey, "killing passwords" has always been one of our primary objectives in evolving user authentication. Passwords are not only an epic hassle to use, they're inherently weak as a factor of authentication. They're also prone to misuse by not just the end user (e.g. overly simple passwords, reusing passwords, sharing passwords, etc.), but also the developer (weak or absent hashing, incorrect storage, database injection vulnerabilities, etc.). While password-related breaches become daily news stories, we've made it our mission to empower users to securely and privately authenticate.

One of our primary distinguishing features is authentication with LaunchKey is anonymous. That's right, unlike identity management services, no personally identifying information is collected or used. Authenticating an individual without knowing anything personal about them may seem a bit counterintuitive, but if you've ever used a key to unlock a door, you've authenticated anonymously (assuming you don't inscribe your name and address on your keys). Keys, and other physical objects we retain possession of make great factors of authentication -- after all, this is why you still use keys today -- but by utilizing smartphones and tablets, LaunchKey adds a suite of multi-factor security options featuring all three factors of authentication: inherence (geofencing), knowledge (combo lock, PIN lock), and possession (Bluetooth device factor).

In the corporate world security breaches and cyber attacks cost companies upwards of hundreds of millions of dollars and jeopardize the personal and confidential information of people like you and me. Our authentication platform can better protect company files, applications, websites and network infrastructure, meaning LaunchKey can potentially save a business big money while ensuring customer data is secure and stays private.

Our technology is already getting kudos from the technology and VC world; and it's pretty exciting.

"LaunchKey's technology will shift the way personal and corporate data are protected and secured and how proprietary information is accessed," said Zach Ware, CEO of Project 100 and partner at VegasTechFund. "As logins and passwords quickly become obsolete, tools like LaunchKey will become the secure de facto solution for user authentication."

As a reminder, the LaunchKey app is already available in Google Play and the Apple App Store, and our RESTful API is now in public beta with a variety of web and mobile SDKs.

Infographic: A Password-Free Future

Posted 2013-07-31 by Geoff

When looking at the future of authentication, it's important to understand that password-based authentication will not -- and cannot -- be our primary means of logging in online or elsewhere. In fact, the inevitability of our progression beyond passwords is rooted in their inherent insecurity. So we thought it would be fun to make an infographic breaking down some of this inherent insecurity with a look at the damage our reliance on this insecure method of authentication has caused. Spoiler, the solution is LaunchKey.

Share / Embed

Direct image link Embed full image Embed scrollable box (see below)

Infographic

WordPress and LaunchKey: Kill Passwords on Your Blog or Website

Posted 2013-07-29 by Devin

Last week, LaunchKey released a free plugin for WordPress that allows users to log in without a password. By leveraging LaunchKey's OAuth service for quick and easy integration, the plugin will enable password-less log in for WordPress admins and users in a matter of minutes. Additionally, after pairing their LaunchKey account with their WordPress account, users can remove their WordPress account passwords to eliminate the security risk those passwords carry. For more information, check out our WordPress documentation for an easy installation guide.

Thank you to our early adopters for your feedback in to #VegasTech company 9seeds for assisting with their WP expertise. We’re in beta and would love your feedback. If you have any comments, questions or problems, please contact us at support@launchkey.com.

Finally, I thought I’d share some early feedback about the plugin: (we would love to see more!)

LaunchKey Privacy

Posted 2013-07-25 by Yo

At LaunchKey, we care a lot about privacy. This is something you've probably heard from every company right after they tell you how they've just updated their 40-page privacy policy to help protect you and your rights. Many of these same companies force users to log into their services using Facebook or LinkedIn, often in an effort to scrape personally identifying information. All the while, they are tracking every action you make on their site and affiliated sites in order to more effectively market towards you.

I'd like to explain exactly how we maintain your privacy at LaunchKey and how we go above and beyond to protect you. Let me start by alleviating any potential confusion: LaunchKey is not an identity service, we're an authentication service. We'll never ask for or store your personal information.

If you're already a LaunchKey user, you may recall providing your email address when initially pairing your device. We send a confirmation email to this address in order to establish a baseline identity that provides a safe avenue for you to unpair or link new devices to your LaunchKey account with an external validator you own. Since your email address isn't used outside of these circumstances, there's no reason for LaunchKey to keep your email address in a format where it could be misused. After all, an email address is personal information and that's not what we're after. As such, we one-way hash all email addresses so even we don't know what it is. This is one of the reasons why you need to re-enter your email address when unpairing a device. Without doing so, we wouldn't know where to send the email.

So what information about you does an application receive when you authenticate with LaunchKey? We provide a value that is unique to both you and the application. This means that if you were to authenticate two separate applications owned by the same company, they would have two separate values for you that can't be connected to the other. These values are static and will not change, even if your LaunchKey username changes. This is good because it means when using LaunchKey, you won't need to worry about networks linking your accounts together when they collude or share personal information. Since this value is generated on-the-fly when you authenticate, LaunchKey doesn't know or store this value. This means if someone were to come to us with your unique value, we'd have no way of pulling any data related to you since that unique data can't be used to reference a LaunchKey user.

We do not log IP addresses, location data or intrusive metadata on our users. The only data we store relating to our users is high level scope data such as how many users are using our service or total number of paired devices. It's in the benefit of LaunchKey and our users to minimize the amount of user data we hold thereby decreasing the liability retaining such data creates.

Most of the action happens on your device. When you install the LaunchKey app on your device, an RSA key pair and random ID are generated. The public key used to encrypt the data is sent to LaunchKey along with the identifier, that is also one-way hashed, used to associate your device. Although unique, these values don't identify hardware and are associated with the install of the LaunchKey app on that device. When your device receives an authentication request from an app, its public key is used to encrypt the response. Only the app you're authorizing can decrypt this response meaning even LaunchKey staff can't decipher responses or forge responses as users. Therefore, when we notify you that an application is in Orbit or a transaction is successful, it's because the application tells us that's the case. This ensures that what's listed in your Orbit verifiably happened as alleged by the application itself and not because it's the expected state after sending the application your response to their authorization request.

LaunchKey also provides multiple opt-in authentication factors such as the in-app PIN lock, combo lock, and geofencing that empowers a user to control how secure they wish to be. These factors are activated and verified locally on the device with LaunchKey systems taking no part. Information like geo-data is sensitive and private and doesn't belong anywhere except in your hands.

For those with privacy concerns, I hope this post alleviates them, and for everyone in general, I hope I've expanded your view of what it means for a company to take its users' privacy seriously. We take every measure we can to ensure your security and anonymity. If you have any questions, comments, concerns or suggestions on how we can further improve our privacy policies, please don't hesitate to contact us.

Thanks for reading!

Public Beta Launch

Posted 2013-07-01 by Geoff

Let the countdown to the end of passwords begin. After two months of testing with our private beta testers, LaunchKey has officially moved from private beta to public beta as of 2pm PDT today. All pending developer apps have been activated and we welcome new developers to begin beta testing LaunchKey within their own projects. Additionally, we've updated the iOS and Android mobile apps with our latest authentication factor, geofencing, available for free from the Apple App Store and Google Play. If you were beta testing with a previous version of the app, please manually remove the app and install the latest version.

While beta testing, please take note of any bugs, errors or other unexpected behavior you experience with the LaunchKey API or mobile apps and report them to support@launchkey.com. If you're a security researcher, we invite you to take part in our white hat bug bounty program and responsibly disclose any vulnerabilities you find.

This beta launch is just the beginning: In the coming days and weeks, we'll be releasing more SDKs in JavaScript, Ruby, iOS and others as well as WordPress and Drupal plugins, support for OpenID, and updates to our product and services based on your feedback. We'll also be announcing some new features and partnerships along the way.

The road to a password-free world is a long and winding one, but it's an inevitability we all must pursue. Fortunately, with the beta release of LaunchKey today, that road is now paved and the keys are in your hands.

Announcing Private Beta

Posted 2013-05-01 by Devin

LaunchKey is pleased to announce that we are entering our Private Beta. During the month of May we will begin working with external entities to implement the LaunchKey API and Oauth service. LaunchKey will be seeking to enhance our systems and applications based on feedback while this Private Beta takes place. If you have previously requested access, you can anticipate a message from our team soon.

To learn more about our Private Beta or if you are interested in participating, please contact support@launchkey.com and be sure to visit launchkey.com.

Are you ready to evolve your security beyond the password era?

Get started immediately by downloading the LaunchKey mobile app or by contacting a LaunchKey representative today.

Download Mobile App

Enterprise Sales

Contact Us