First of all I'm very happy with the product and have been for quite a while. I was wondering if any support for 2FA will be added in the near future? Specifically yubikey as an extra layer on top of your masterpassword.
Thank you for the feedback Pamalam. I never thought of using the Apple Watch for some type of MFA, so we'll have to look into whether that would work or not. For some, if it's possible, that my be all they would want for extra security. Regarding push and sms methods, we plan on using Authy since it is more flexible and easier to manage for the user. The Google authenticator makes it difficult to move to other devices and nearly impossible, if not actually impossible, to restore or sync MFA keys. For some, that's a good representation of security, but for most it goes too far and is difficult to use.
Long time user first time "caller".... I too would like to add a YubiKey to my security suite. I haven't updated my desktop copies of MSecure because entering a long password every time I want to use it on my desktop is a pain. Instead I've begun allowing Apple Keychain to manage some passwords, and this has left me with a weaker security arrangement. While I trust the iPhone and iPad's security, I think the requirement of a non-digital act, i.e., touching the Yubikey to the phone or tapping its sensor should present a serious deterrent to remote mischief by hackers. It's at least marginally less hassle than receiving a text or some other phone-based method, and more secure as well. I urge you to implement it in a comprehensive way.
- If you think that users might find YubiKey or any type of MFA/2FA, annoying if implemented as a global requirement in order to access any password in MSecure, then perhaps being able to turn it on an off for each password would be sensible.
- such a system would allow users to switch on YubiKey for banking, work, stock accounts, and wallet apps and not have it active for less consequential passwords.
Finally, I think that secure Password protection is an essential element for users these days, but it is still not anywhere near universal among us. I hope, since you hinted at changing your pricing structure that you will not go to a subscription system, but instead remain a one time purchase product, or perhaps offer a choice of payment methods and remain competitively priced.
Thank you very much for your feedback Jonathan. We do have 2FA support on our radar, and we plan to implement it in future releases of v6. It won't be implemented for 6.0, but we plan for it to be a significant feature to be added in a 6.x release.
This is a game changer for me, no 2FA with Yubi and its 7/22/21? I bought the iphone and mac versions (very pricy btw) many years ago, use the apps everyday but now I'm divorcing you for another more secure solution.
I will use and buy mSecure, but without 2FA support the App is useless, please implement this as soon as possible else nobody want / can't use mSecure as Passwort Mananer in 2021.
I have an eye on mSecure, and waiting for 2FA.
Thank you for your feedback @Philipp. We do have this on our radar to be implemented in mSecure 6. It won't be available in the first release, but it will be added as soon as possible to a following v6 release. It's one of the priority features on our list.
I'm also a long-time user and had a good look around prior to upgrading my membership to the new subscription model. Having read this thread, i was expecting to see MFA integration baked in so that i could make use of my MS MFA instance, or use my Yubi, Duo, etc. But it doesn't appear to be anywhere? I thought the intention was that MFA would be "at the forefront" of v6?
Frankly, if we are to buy in to the message that the subscription model ensures the product remains actively developed, patched, secure, etc.; why does it seem that knowledge of 2FA/MFA appears to be lacking (from the comments on this thread), which likely explains the long development time to implement this feature. Could someone let me know if i'm ranting for no reason because i've missed a setting, or tell me whether MFA is on the current sprint /cycle? If not, regrettably i don't think i will be able to keep the subscription going and can’t seriously consider deploying wider across the organisation.
@Jaysan Yubikey support is on our product roadmap, but it was never scheduled to be supported in the first release of v6: https://www.msecure.com/roadmap-of-upcoming-features-in-msecure/
It's difficult for me to respond to your other comments, because I'm obviously biased towards our company. We are moving to a much smaller release window now that we have moved to our current model, but we obviously have no track record yet to point to, since v6 is so new. Hopefully that makes sense, and if you have any other questions, please do let me know.
Just wanted to add more impetus to this. Can't come soon enough, IMO.
I wanted to give you all an update on plans for 2FA/MFA and Yubikey support. While we have got a lot of good feedback from many customers, we're still looking to get more as we continue to look into implementing this feature. And unfortunately, we have run into a snag as we began the development. I can't get into details, but Yubikey support for Mac is very tricky. Support for iOS seems very straight-forward, but that's the platform that almost always has added security via Face/Touch ID, so it's not where this feature is needed most. However, we're still working on the feature, and we're hoping to get some more specific feedback from our customers on how our customers would like to use it.
First, we need to go over platform support. iOS support looks pretty straight-forward, but as mentioned above, Mac support is tricky. Windows and Android support is in the mix as well, but we have only begun the process of researching for iOS and Mac at this point. If Yubikey support were only available for iOS, would it be worth it? I know @Rob would use it for iOS, but if I'm understanding the feedback thus far, Face and Touch ID support make the iOS mSecure app more than safe enough. Any other thoughts for only having iOS support?
Second, we have three different ways in which MFA can be applied:
One and two are pretty much mandatory when it comes to an MFA implementation. They are the most obvious contexts in which you would need to authenticate with a 2nd factor in order to proceed. However, we're not sure if the third option is something our customers would user or not. As an example of the workflow, I would think #1 and #3 would be a good combination. In order to even set up mSecure on any device, you would have to know your Username, your mSecure account Password, your Encrypted Account Key in the form of a QR code (even when retrieved from your iCloud Drive account, it's still used for authentication), and you would have to authenticate with the Yubikey. For signing in to your account, the Encrypted Account Key has always been a form of 2FA, because without that key, even if someone knows your Username and Password, they cannot get access to your account. So with the Yubikey, you would actually have 3 factors of authentication. Then after you are signed in, you could set different records to require authentication via the Yubikey. This way, you could more easily unlock mSecure, but then if you needed to look at the details for a certain record, after you tapped it, you would have to authenticate with the Yubikey in order to view the details.
All three options would be implemented if all of them were found valuable. I'm not entirely sure about this, but I believe all three would be optional. You could pick and choose which ones to enable, and if you wanted all three enabled to really lock things down, you could do it. In that case, you'd have to use the Yubikey when you first signed in to your account, then every time you unlocked the app, even if you also used Face/Touch ID, then again when you tapped a record to view its details.
Third, I may know the answer to this one already, but how do you see Yubikey, or any hardware key, helping that much more than biometric unlock features? In theory, the answer is obvious. There's no question that another factor of authentication is more secure. However, in practice, do you believe it to be a lot more secure than the biometrics offered on most devices? For example, if you had a computer that offered biometrics that mSecure tied into, would you find it necessary to enable MFA?
Thank you all for your feedback in advance. We know that MFA is very important to a lot of our customers, and we want to do it right.