Questions and Answers

What is this program?

This software allows your phone to securely type on your other devices. This is great for unlocking password managers. Some users might also consider purchasing a hardware dongle (e.g. in order type passwords for disk encryption).

What happens when I scan the QR code (or tap the NFC)?

In general, similar to Bluetooth pairing, when you scan the QR code on the device with your phone, you are authorizing your phone (and only your phone) to send instructions to your device. More specifically, this QR code contains a unique identity that this program will use for its lifetime. Your phone has also generated such an identity of its own. Upon scanning, these two identities are registered as being authorized to send messages to each other. This registered pair information is stored on our server. The security lies in the fact that the QR code also contained a secret code which remains solely on your own devices. This way, the server does not understand the messages, nor can it send its own messages, they are rejected by your devices if they do not decrypt with the expected secret.

How is it secure?

What if you're hacked?

TLDR; The hackers would be unable to do anything other than disrupt service.

No server can be perfectly secure. If our signaling server is hacked (this is the server that enables your phone to see this device over the internet in order to establish the peer-to-peer connection reliably through firewalls), this has no effect other than loss of service while we fix the disruption. I will explain how by describing more of the architecture: When you scan the QR code, a special secret is stored on your phone. Only the desktop program (which generated the QR) and your phone (which read the QR) know this secret. The phone (or the hacker pretending to be the phone, or the hacker that took over the server) cannot read these messages without knowing the secret, which has never left your device. Compromising the server does not reveal this secret, the server is merely a dumb switchboard. The only way to get the secret is to compromise your phone's storage or your desktop's storage. The server does not have any important data, it is merely the matchmaker or centralized faclitator such that the two devices can find each other to have their intended conversation.