Latch is an online security service based on door latches: even if you lose the key to your house, no one can get in if there is a latch on the door.
One of the most widely-discussed issues these days on the web is the serious security hole in Heartbleed, the OpenSSL library. This is the certificate that ensures that the information that we send through secure websites cannot be viewed by third parties. It runs on 66% of all web servers. The hole, which exposes all of this data, including user names and passwords, was discovered by Codenomicon, a Finnish information security group.
And the worst of it is that there’s very little that users can do, beyond not accessing the services that may have been attacked (the full list is quite disheartening). In this case, the ball is in the court of the companies whose security has potentially been damaged, and the access keys of their users exposed.
This is where Latch comes in. This is a service from Eleven Paths that works like a digital door latch. Even if someone gets your keys, they can’t get in if you leave the front door latched. This is the same concept that Latch applies to security on the internet: you can connect and disconnect your online services using an application on your smartphone, so that even if someone discovers your passwords, they won’t be able to access the services if you’ve deactivated the starting of new sessions. You’ll even get an alert informing you that someone has tried to enter the service with the correct password.
Latch is completely anonymous; to register, you just need an email account. You then pair your username with the different digital services that are supported (email accounts, bank accounts, social networks, etc.), and you’re ready to start using Latch. Every time you want to enter one of these services, you deactivate your protection in Latch. When you’re done, you reactivate it. If you don’t use Latch, this is what an attacker has to do to access one of your accounts:
- Know the password to the service.
That’s it. But, on the other hand, if you use Latch, in order for someone to access your accounts, they’ll have to fulfil the following conditions:
Know the password to the service.
Have physical access to your smartphone.
Know the PIN, password or pattern for unlocking your phone if you use one.
Know your Latch password.
At Think Big we decided to implement Latch shortly after it was launched at the end of last year. Thanks to it, even if the security of an editor or administrator of our website is compromised because their password to access the control panel is exposed, it won’t be enough for a potential attacker. The password alone isn’t enough to enter. The attacker will have to open that latch closed from inside, and that will be impossible from the outside. That’s exactly what Latch proposes. This means that the Heartbleed security hole would hardly have been a problem using Latch. Not one bit, in fact.