Chat support available. Click the chat icon on the bottom right corner to start chatting with us right away!

mSecure Support

Knowledge Base Forums Submit a ticket
Planned

2FA or yubikey support

Hi,


First of all I'm very happy with the product and have been for quite a while. I was wondering if any support for 2FA will be added in the near future? Specifically yubikey as an extra layer on top of your masterpassword.


thanks

Rob


4 people like this idea

I use Apple products exclusively at present.  Burt I don't use Face ID or other biometrics.  Hence would need YubiKey support to be an added factor, or at least selectable as added or replacing another factor.

I mostly would like to see it supported to strengthen credentials for financial and confidential information.

Thank you for the added feedback so far everyone!


This may be obvious, but there is one thing to mention in response to @Burt's post. YubiKey support for mSecure would not actually provide a greater level of protection for your financial information. It would only provide greater protection for the data stored in mSecure, but that data is only a record of the credentials used for your actual accounts. For example, if you have a weak password being used for one of your bank accounts (which is probably unlikely, I know), then YubiKey support for mSecure won't help protect your bank account from being hacked. It would only help the weak credentials stored in mSecure from being discovered. To actually make those weak credentials stronger, you could use YubiKey directly on the bank account if it was supported by the bank's website. Of course, the most secure thing to do would be to make sure the password on the account was very strong, add YubiKey as a second factor of authentication for the bank account itself, then store the credentials in mSecure. At that point, YubiKey support for mSecure would make a difference but only marginally, since even if a thief had access to your bank's credentials through your mSecure app, they still wouldn't be able to get into your bank account without your YubiKey.


So far as I can see, the most important use case for providing protection to your online accounts with YubiKey support in mSecure is as follows. You make sure to have a very strong password set for your bank account that doesn't have direct YubiKey or 2-factor support. Then you store your bank's credentials in mSecure. At that point, the only way to get to your bank account is through either some type of brute force attack directly on the site which is highly unlikely to succeed, or to find the credentials in your password manager. If the password manager is secured with a strong password, it's already next to impossible to get access to the app. However, with a YubiKey, you could have a more memorable password to unlock mSecure, but it would still be safe, because the app can't be opened without your YubiKey.


There's something very important to remember though. For mSecure, the data is protected by an incredibly strong key called your Account Key, which is a randomly generated key. That protects your data stored in any cloud service from being compromised. Locally on your device, however, the security is a bit different. While the same key is used to protect your information, that key is encrypted with your account's password. So if you were to use a weaker password to unlock mSecure thinking that the YubiKey keeps you safe, that's only half correct. It would keep you safe from thieves getting access to your mSecure app, but it would make the data stored locally less secure. In the end, it is always best to have a very strong password set for EVERY access point to your sensitive information. That means a strong password for each online account, 2-factor authentication set directly on each account, and a strong password set for your mSecure account. If any of those passwords are made weaker for the sake of convenience, the security for your accounts is also weakened.

I can appreciate the technicalities involved with integrating a hardware key. After considering my need for it, I’ve boiled it down to a couple of reasons. I use random eighteen character passwords for everything, including mSecure. I change the mSecure password regularly, so unless I memorize it, I have to save it (ironically) in the app and use Face ID on my phone to look it up for use on a PC, Mac, etc. Sounds kind of silly and insecure. A hardware key would fix that annoyance and plug that hole. Also ironically, passwords are slowly being phased out. Hardware keys may or may not be the answer. Time will tell. For now, keys seem the best way to go and the most secure way to access passwords, etc. on many devices while they continue to be used. Fortunately for both of us, passwords aren’t going bye bye anytime soon and mSecure has a lot more utility than a password manager. That’s why I prefer it. Hiding all those data behind a key would make me feel as secure as current technology will allow.

Login or Signup to post a comment