Thank you for contacting us and I'm sorry about the issue you're experiencing. mSecure 5 is a brand new app, and mSecure 5 is the first and only version of mSecure to use an account system. Please create an mSecure account to get started in mSecure 5.
I have just downloaded your new software and cannot log on. Says that I entered the incorrect password and login name. I am 99% sure that what I am entering is correct but can only check when I log in to Msecure!!! Quite a challenge - any suggestions?
Cannot log on to new version of software - says invalid password or logon name. 99% sure they are correct but can only check when I log on to Msecure!!! Any suggestions
mSecure's new account system means that my local app and my online account use the same password for access. While that might be nice for some apps, for a password manager this represents a surprising level of potential risk ranging anywhere from implications of outages to fears associated with data breach events at mSecure. Am I the only person who thinks this is dangerous?
We understand the potential dangers of using an account system. Because of that, we never store any account passwords in our system (hashes and salts are used. BCRYPT to be exact), and we've introduced a second layer of protection when we introduced our account system. With our system, the account login password is not what encrypts your data. Instead, that honor/privilege is carried out by a random 46 character account password generated on your device when you first sign in to mSecure 5. We never store this account key in any way ensuring that neither we nor anyone else can ever decrypt any information stored in our mSecure Cloud, iCloud, Dropbox, or even WiFi syncing.
It's also very important to note that we do not store any personal information encrypted or otherwise, unless you set up our mSecure Cloud syncing feature. However, whichever syncing feature you select, we always store your information locally on your device and only encrypt/decrypt the information locally on your device. That means that the information is also encrypted on its way out and back in. You can learn more about our security model here: https://www.msecure.com/security
Your account is set to use WiFi syncing so we will never store any of your information and the account password is only used to unlock the app on your devices. When first signing in to your mSecure account in mSecure 5 on other devices, you'll need your account credentials along with with your account key. However, we have simplified the process by storing your encrypted account key on iCloud Drive when using iOS or Mac devices and mSecure 5 will first try to authenticate your account using that file.
Note that although I see that you've set up WiFi syncing, I also see that you haven't signed in to your account on a Mac or Windows computer. Please make sure to use mSecure 5 on a Mac or Windows computer if you'd like to use our WiFi syncing feature. WiFi syncing requires the Mac or Windows version of mSecure 5 to work.
You can download mSecure 5 here:
First, I want to thank you for your quick reply on a weekend -- it shows a true dedication to customer success! I appreciate your explanation regarding encryption and you use hashes and salts, I will point out that when I changed my password in the app I did receive an email with a new account passwordQR code email.
It's important to note that this model still leaves the user vulnerable in that should an attacker manage to gain a user's account password (by whatever means), the attacker could change that password on mSecure's side and essentially lock the user out of their own local password databases. While it (thankfully) doesn't expose the user's actual passwords in the case of WiFi sync, it still carries greater risk (denial of local service) than previous versions of mSecure did.
The fact that you can see that I've setup WiFi sync is also somewhat concerning, even more so since I actually had logged into the mSecure 5 app on a computer prior to posting, so I am somewhat confused - are settings being synchronized / stored in the cloud as well?
We use an account system for our licensing mostly and to provide our own mSecure Cloud syncing feature. We store basic account information (paid info, and some account settings) to help in the app itself and for support. I incorrectly saw that you were signed in to mSecure 5 for iOS earlier. I now see that you are signed in to mSecure 5 for Mac instead. I'm sorry about.
You are correct, if a user get ahold of your account password, somehow, they could unlock the app locally on your device. However, that would also require that they have gained access to your device as well. We cannot protect a user in the case that they have fully exposed their system to software or users. The previous versions of mSecure have this issue as well as do almost all apps locally on your device(s). In the case that a malicious actor gained access to your mSecure account credentials or mSecure 5 on a device, we highly recommend resetting your account. After an account reset, mSecure 5 on the first device you use after the reset will create new account keys and you would have completely new account credentials (beyond the account email address).
Note: we are looking into providing device management abilities soon. We currently do send you a new sign in notification email any time your account is signed into and authenticated. In the future, we plan on having the ability to remove device access and even provide additional two factor authentication.
Again, I appreciate your responsiveness over a holiday weekend, but I think you have misunderstood the concern. I am actually describing the reverse scenario of what you have responded to. If an attacker gained the account password and logged into the mSecure password reset page (https://www.msecure.com/request_password_start/) they could theoretically lock out or destroy the local password database on the user's local system due to this account system (though I recognize they would also need access to the user's email account).
FWIW, I just logged into my account on mSecure.com (https://www.msecure.com/thank-you-purchased/) and have received no email notification of such login. Can you confirm there is no way to change my password (as opposed to reset) via the web? I'm sure there is value in adding device management (MDM) functionality in a password manager, but I'm not sure I see the point in removing a device access if it's already been breached (unless it auto destructs as a result, but that only re-enforces my above concerns). Ideally it would be great to have a option for a non-account sync model like in previous iterations. I understand the value to customers of the account model but I proudly paid for mSecure on each platform I used it on (primarily for it's unique offline / wifi sync model), and would gladly do so again if needed to retain such functionality.
Equally concerning, if there were to be a breach, data loss, outage, or other system failures at mSeven, what would happen to (all) user local systems of mSeven were to somehow lose those hashes? Would all mSecure customers be locked out of their local applications?
With that said, has mSecure 3.5.7 been tested on MacOS Mojave? Will there be any issues if I upgrade and continue to use the previous version in the new OS?
I'm sorry about the delay in my response. The only ability you have available on our main website (https://www.msecure.com) is the ability to purchase and mSecure 5 license and start the account reset process. That is it. We do not provide a notification for a new login when using our main website because the email notification will only be sent out when you login and authenticate your account. There is no authentication process in our website because a user have very limited abilities on our website. There is no way to change an account password on our website.
Everything is stored locally on a users devices. If there was a service outage, you would not lose access to any information. It would all still be available locally on your devices. However, syncing, would not work if our servers are not available. Yes, mSecure 3.5.7 has been tested with Mojave and works fine. There will be no issues with using the previous version with Mojave. I'm not sure about the next major macOS version though. It should continue to work with whatever comes next, but I cannot promise that it will and we are likely not going to update the older version to be compatible with the next major OS release.
Thank you for contacting us and I'm sorry about the issue you are experiencing. I'm not sure I understand. It sounds like you are using mSecure 5 on your iPhone and are able to unlock the app on that device. Where are you unable to sign in to your mSecure account in mSecure 5 in or where are you unable to unlock the app?