Chat support available. Click the chat icon on the bottom right corner to start chatting with us right away!

Soporte mSecure

Major security gap - your phone PIN alone can unlock your MSecure database

Like most people I consider my MSecure database to merit a higher level of security than my phone. While my phone is always locked, the MSecure database is a vault within a vault.

Because a phone PIN or pattern can be observed in many situations (and these days you're highly likely to have entered it at least once while you're in range of a CCTV) my MSecure database requires something more.

I do have Fingerprint ID as an option for logging into my MSecure database. Many apps (Bank of America, 1Password) that allow fingerprint ID have a special feature wherein when there's any new fingerprint added, fingerprints will no longer unlock the database UNTIL the master password is entered and fingerprints are re-enabled. Today I learned that MSecure does not have that same restriction.

As a result, someone who observed my PIN (or to whom I voluntarily gave my PIN) no longer only has access to my phone. They can now go into the Fingerprint ID settings, add one of their own fingerprints, and immediately log into my MSecure database.

This means that if you use Fingerprint ID on your MSecure database, then whatever locks your phone is all someone needs to gain full access to your MSecure database. Until this is fixed anyone whose PIN is known to others and who uses FingerprintID for their MSecure database should consider their MSecure database as being shared as well.

I captured the screens from B of A and 1Password here: showing how their fingerprint login works after any changes to the enrolled fingerprints.

I am using MSecure for Android version

Hi Jason,

Thank you for bringing this to our attention. While we do not believe that this means that customers using fingerprint access with mSecure 5 on Android have had their information compromised, specially since most customers using fingerprint to unlock mSecure 5 also use their fingerprint to unlock their device, we do understand how this is less than ideal. We will be addressing this issue in our next update and make sure to require a customer's mSecure account password after the fingerprint settings for a device have changed.

Unless I'm mistaken there is NO such thing as fingerprint-only access to an Android device. You ALWAYS have to have a backup PIN code and that backup PIN code whether you use it or not. I'd agree with you that the majority of the time someone would be using their fingerprint to unlock the phone, but I was thinking of any of the following scenarios:

  • many of my clients to whom I've recommended MSecure will allow their kids or other family members to know their PIN so they can play games, watch videos, etc. They wouldn't necessarily give those same people access to everything in their MSecure database, but in this case they have effectively done so.
  • People might give their IT person their phone PIN for the purposes of fixing something on the phone, but in doing so would not expect that IT person would have full access to their entire MSecure database
  • any time the phone power cycles or has been off a certain amount of time a PIN will be required to access the device
  • in cold weather (gloves) or when my phone is mounted to a stand or my bike I often use a PIN rather than fingerprint since I can't easily swipe
I'm glad that it will be fixed and I appreciate you addressing it publicly like this. I agree that the less you use your PIN to access the phone the less likely a stranger is to observe it but there remains a significant gap between trusting someone with access to my phone versus trusting them with access to my MSecure database. It happens that the only person I give my phone PIN to I *also* trust with my MSecure database but there are plenty of teenagers I know who barely merit one of those levels of trust.

Can you confirm that this does not apply to Apple products? It appears that mSecure5 does force the use of a password if any touch ID change is made on an iPhone.

Hi Andy,

Yes, any changes to Touch ID on iOS will result in having to enter your mSecure account password in order to unlock the app. You'll have to set up Touch ID in our settings afterwards.

Iniciar sesión o Registrarse para publicar un comentario