Frequently Asked Questions
Everyone
Developers
I already use an authenticator app, why should I use Krypton?
The simple answer is that you'll be able to login faster. No more typing 6-digit codes
or even reaching for your phone. Krypton securely takes care of providing your second factor.
Beyond convenience, you'll be immune to phishing. You don't have to worry that you're typing the code into the right website -- Krypton takes care of this for you under the hood. Krypton implements FIDO U2F to prevent phishing.
Beyond convenience, you'll be immune to phishing. You don't have to worry that you're typing the code into the right website -- Krypton takes care of this for you under the hood. Krypton implements FIDO U2F to prevent phishing.
What sites do you support?
Krypton supports any site that supports U2F security keys. Popular supporting sites are Google, Facebook, Dropbox, and Twitter. Find more here.
Want help adding U2F to your product or deeper Krypton integrations? Reach out to us at [email protected].
Want help adding U2F to your product or deeper Krypton integrations? Reach out to us at [email protected].
What browsers do you support?
What phones do you support?
Krypton U2F support is available for iOS (10.0+) and Android (6.0+).
Is "zero touch" secure? How is it a second factor if it approves automatically?
Yes, zero touch is safe. The security behind Krypton is established when you pair Krypton with your browser (via the extension) by scanning the QR code. This ensures that only your specific browser will be able to talk to Krypton. Krypton and your browser establish a secure cryptographic channel using keys that only your phone and computer have. There is NO trusted third-party.
Two-factor is simply a way to defend against compromised passwords. If someone knows your password and attempts to login then they'll be hit with a second-factor challenge. Since this attacker is remote and doesn't have access to your browser they won't be able to talk to Krypton.
Two-factor is simply a way to defend against compromised passwords. If someone knows your password and attempts to login then they'll be hit with a second-factor challenge. Since this attacker is remote and doesn't have access to your browser they won't be able to talk to Krypton.
What if a hacker gets access to my computer/browser?
If someone malicious gets access to your computer or browser, they can do a lot of bad stuff like install a program to wait until you login to a site and then steal that browser session. No authentication mechanism can really prevent against this type of hacker.
Still want "user presence" verification?
Krypton also supports "one touch" logins.
For enhanced security, you can turn on "one touch login" in Krypton. Go to Settings (the gear icon on the top left) > Toggle the "Ask me every-time" switch.
Still want "user presence" verification?
Krypton also supports "one touch" logins.
For enhanced security, you can turn on "one touch login" in Krypton. Go to Settings (the gear icon on the top left) > Toggle the "Ask me every-time" switch.
Why is "zero touch" on by default?
Our mission is to help everyone be more secure on the web, including less technical people who don't understand or care about the differences between two-factor, U2F, or web authentication. Most second factor authentications are still done using SMS. They are not phishing proof, they are easy to compromise, and their UX is still pretty inconvenient.
Krypton's value for most people is that it's a simple "zero touch" way to do two-factor authentication. Our hope is that because it's easier and a good experience, more people will adopt the technology that actually makes them more secure (U2F's phishing protections now and FIDO2/WebAuthn soon.)
Krypton's value for most people is that it's a simple "zero touch" way to do two-factor authentication. Our hope is that because it's easier and a good experience, more people will adopt the technology that actually makes them more secure (U2F's phishing protections now and FIDO2/WebAuthn soon.)
How do I install Krypton?
Click here Install Krypton.
Does Krypton support developer authentication like SSH/Git commit signing?
Why yes it does! Learn more here krypt.co/devops. To use Krypton for SSH/Git, install
kr in your terminal by following the directions in the app or here.
Does krypt.co have access to my second-factor private keys?
Absolutely not. The private key is generated on your phone's secure crypto-coprocessor (iOS Secure Enclave, Android Keystore) and never leaves your device. Furthermore, there are no trusted third-parties and all of the Krypton source code is publicly published.
Can I inspect Krypton's source code?
Krypton is public source! You can find it here github.com/kryptco and compile from source.
What if I lose my phone?
Many websites require a backup two-factor authentication methods such as SMS and TOTP (authenticator 6 digit-code apps) even if you are using a U2F security key such as Krypton. For certain sites that allow U2F only (such as Google Advanced Protection), we recommend having a backup phone with separate Krypton U2F key setup or a physical hardware key that you store securely in somewhere.
We are actively building a robust account recovery service with partners to solve this problem and make U2F/WebAuthn a viable "single-factor" login system. We hope this will remove the need for these backup methods that make your account vulnerable to phishing attacks. We also see this as a major barrier to wide adoption of U2F/WebAuth/2FA so we are eager to solve this problem.
We are actively building a robust account recovery service with partners to solve this problem and make U2F/WebAuthn a viable "single-factor" login system. We hope this will remove the need for these backup methods that make your account vulnerable to phishing attacks. We also see this as a major barrier to wide adoption of U2F/WebAuth/2FA so we are eager to solve this problem.
Why the name "Krypton Core"?
Krypton is an invisible element that does not interact with other elements.
In this way, Krypton is isolated and hidden, much how one should store secret data -- like a cryptographic private key.
We named our product Krypton Core because it represents the essential properties of the element Krypton and our threat model on how to store keys securely (isolation) and great usability by making it seamless to use (invisible).
We named our product Krypton Core because it represents the essential properties of the element Krypton and our threat model on how to store keys securely (isolation) and great usability by making it seamless to use (invisible).
Why did we build Krypton Core?
Krypton Core combines the secure key storage of
a USB smart card with a familiar mobile phone interface. The
Krypton app performs SSH signatures without revealing the
private key to a paired computer. A Krypton SSH key can be
used without modifying any servers, allowing users to secure
their GitHub, AWS, and Google Cloud SSH authentication without
any changes to their infrastructure. Communication with
Krypton occurs over encrypted and signed push notifications and
Bluetooth, ensuring high availability and low latency.
Krypton also verifies and displays exactly which server
is being logged in to, unlike USB solutions that do not
have a user interface.
I use password-based authentication to connect to GitHub and my servers, why should I use Krypton?
It is well known that users reuse passwords or small variations on passwords for different services, allowing a compromise of one to cause the compromise of many. Requiring users to remember highly random passwords for every different service is unreasonable, and many passwords are brute-forceable. Finally, passwords are annoying to type every time code is pushed or you login to a server.
I keep my private key in ~/.ssh, why should I use Krypton?
Any application you run or install can silently read, use, and send off your private key without your knowledge. Krypton requires your explicit permission to use the private key and records every SSH access.
I passphrase encrypt my SSH private key, why should I use Krypton?
A passphrase-encrypted key is decrypted upon entry of
the password and given to a running SSH agent. A user-level process or malware
can use a decrypted key stored in an agent without knowledge of the user.
Furthermore, the same malware can pose as an SSH agent and direct SSH to use it
using the
SSH_AUTH_SOCK environment variable, receiving the key in plaintext
the first time it is used.
I have two-factor authentication enabled on my servers, why should I use Krypton?
Adding two-factor authentication to either password or public key authentication requires changes to every SSH server. Krypton works out of the box without any changes to a server.
In some cases, such as third-party hosted services (GitHub, Bitbucket, etc.), integrating third-party two-factor is impossible. Many solutions require users to type a 6-digit passcode for every login, and others rely on a centralized server to perform the two-factor verification.
In some cases, such as third-party hosted services (GitHub, Bitbucket, etc.), integrating third-party two-factor is impossible. Many solutions require users to type a 6-digit passcode for every login, and others rely on a centralized server to perform the two-factor verification.
I have two-factor authentication enabled on my GitHub account. Why should I use Krypton?
GitHub does not enforce two-factor authentication when you push or pull code with SSH. Using Krypton requires access to your phone to use the SSH key.
I use a smart card (NitroKey, YubiKey, etc) to store my private key securely. Why should I use Krypton?
With a smart cards you can generate and store SSH keys in a separate piece of
hardware connected via USB. While the private key might not be extractable from the
device, users now have to purchase and carry around another piece of hardware
that takes up a USB port. Configuration of the smart card occurs on the
workstation itself, which may be compromised. When you approve a
signature, the only information conveyed to you is a blinking light, meaning
you don't know what you're actually signing.
How do I install
kr on my computer?
curl https://krypt.co/kr | sh
Or install from source:
github.com/kryptco/kr.For more ways to install
kr, visit https://krypt.co/install.
Does krypt.co have access to my SSH private key?
No, the SSH private key is generated on the mobile device and never leaves. Furthermore, there are no trusted third-parties and all of the Krypton source code is published to the public. See more.
Where can I inspect the Krypton source code?
The Krypton source code for
kr, kryptonite-ios, and kryptonite-android is published at github.com/kryptco. Feel free to compile Krypton from source and run it on your phone and workstation.
How is the SSH private key stored on my phone?
Read about how Krypton stores private keys in our security documentation.
If the SSH private key never leaves my phone, how does it work?
The role of a private key in an SSH login is to sign the SSH handshake. When a signature is required, your workstation calls out to Krypton running on the paired phone with the data that must be signed. If authorized, Krypton performs the signature using the private key and returns only the signature to the workstation.
What happens if I lose my phone?
First make sure you remove the old SSH public key from any of your accounts. Once you have Krypton installed on your new phone, add the new public key to the accounts you were using SSH with before.
How does Krypton affect my SSH client?
Upon install, Krypton adds a few lines to your SSH
configuration (at ~/.ssh/config) that cause SSH to
offer your Krypton key. Your other keys will
still be presented and your Krypton key will
only be used if it has access to the service you
are connecting to.
How does my phone communicate with my computer securely?
Your phone generates a session key pair and encrypts the public key to your workstation upon pairing. All communication is encrypted and authenticated using session key pairs.
Can I backup my private key?
Backing up your private key reduces its security to the security of the backup. We do not currently support backing up or extracting your private key. In the future we may add key splitting among team members or transferring your private key directly to a new phone.
