How it Works

Vision For A Better Internet

We believe the internet would be so much more secure and a lot more fun if we get rid of passwords. We believe passwords can be eliminated right now by basing login on the individual email account.  By basing it on the email account, we simplify everyone’s life because they only need to focus on securing one account (not twenty or more!)

The Ideal Solution

Starts With A Secure Email Account:   This is easy with modern email.    Gmail, Yahoo, Outlook and many others offer secure email accounts that provide robust ant-intrusion technologies and easy to set up 2-factor authentication.  These make email accounts rock solid.

Login By Email:  Now everyone can log in with unbreakable encryption instead of a weak password.   With no password to remember, it is easy to have hundreds of online accounts and easy to access them.  Password vulnerability is no longer an issue on the internet.

The best part is it only takes two-taps to set up a new account or log into an existing one. So you can have hundreds of accounts on hundreds of websites with no worries about security and no hassles with passwords.   This is how we can end passwords on the internet. Let’s do this.

Closer Look At The Two-Tap Experience

Step #1
Sending the Digital Key

By clicking a mailto link, an email is composed.  Think of the email as you would think of JSON. Email is only acting as the transport mechanism for the encrypted key.  The email server generates and imbeds the key in the outgoing message.

Step #2
Validating the Digital Key


The authentication server receives this email and validates the encrypted key by using the public key provided in the DNS.  Each digital key is unique to each email and are either 1024 or 2048 bit encryption.

Encrypted keys are vastly superior to any password created by a person.  Passwords are like putting your wallet in your pocket. Encrypted keys are like putting your wallet in a 150 ton safe surrounded by armed guards that, in the event of an unlikely breach, the wallet would burst into flames and nothing would be accomplished by the attack.

Swoop is about making a better internet by replacing passwords with powerful encryption technologies that are effortless to use.

The Important Role Of Mailto Links

Mailtos have been part of the internet since the early 90s and they are the “trigger” that makes it possible to easily send digital keys across the internet.  A lot happens when you press the humble mailto:

  • Your default email client opens automatically,
  • The email program instantly composes a self-addressed email message with a fully-composed email that has both the subject line and message body filled out.

The mailto is great because it makes logging in with an email so easy.  All you need to do is push send and the outgoing server generates the unique digital keys and transmits the keys to the authentication server with an email envelope. Since the key is encrypted, it does not matter that email transmits in plain text.  Two touches and encrypted authentication keys are securely delivered.

Validating Digital Keys

Our authentication process is centered around the protocol called DomainKey Identified Mail (DKIM) with redundancy/2-factor provided by Sender Policy Framework (SPF).



Mailtos make it effortless to deliver keys to the authentication server, but it is the public key cryptography used in this protocol that provides the powerful authentication mechanism. The digital keys eliminate the possibility of spoofing.  The DKIM protocol governs the key creation and validation algorithms that are used by all major email senders (Gmail, Yahoo, Outlook). Here is how DKIM works:

DKIM Process


Here is an example of a DKIM Signature, the “B” tag is the actual signature.

DKIM Signature


Public key cryptography is used extensively throughout the web to secure all sorts of activities. We are just the first ones to have the digital keys delivered by email to an authentication server.   It is similar to using your Facebook account to sign in, but better because everyone has an email account and it is more private. More importantly, every online account already requires an email address as part of the account profile so the email address can be used on every account on every website right now.

Redundancy with SPF

DKIM by itself is vastly more secure than a password.  However, modern email has a second authentication protocol readily available that provides an additional level of rigor to the process. SPF provides a path-based verification process.  SPF ensures that the email message was securely transmitted from authorized server to authorized server. Here is how SPF works.

SPF Process

Swoop Compared To Social Media Sign In

Swoop is similar to using your Facebook or Twitter account to sign in.  Both are letting you use one account to sign into many other accounts. With Facebook or Twitter, you use that account to login to other sites.  With Swoop, you use your personal email account.

Email addresses 100% of your customers, social media accounts do not.  First, it’s important to realize that every online account already requires an email address as part of the account profile.  So everyone account can use their email address to log in. Second, only a portion of your customers might have a social media account and a much smaller portion are willing to use it for login.     What this all means is that the email account makes it possible completely drop the password from your site. Something that you cannot do by just offering social signin. The ideal solution is to offer both and give your customers a choice, but be careful not to offer too many or you will make your login page look like a Nascar with 20 different logos on it!

Swoop offers the complete solution to passwords with passwordless authentication.