Chat support available. Click the chat icon on the bottom right corner to start chatting with us right away!

Support mSecure

Planifié

2FA or yubikey support

Hi,


First of all I'm very happy with the product and have been for quite a while. I was wondering if any support for 2FA will be added in the near future? Specifically yubikey as an extra layer on top of your masterpassword.


thanks

Rob


4 personnes aiment cette idée

I use Apple products exclusively at present.  Burt I don't use Face ID or other biometrics.  Hence would need YubiKey support to be an added factor, or at least selectable as added or replacing another factor.

I mostly would like to see it supported to strengthen credentials for financial and confidential information.

Thank you for the added feedback so far everyone!


This may be obvious, but there is one thing to mention in response to @Burt's post. YubiKey support for mSecure would not actually provide a greater level of protection for your financial information. It would only provide greater protection for the data stored in mSecure, but that data is only a record of the credentials used for your actual accounts. For example, if you have a weak password being used for one of your bank accounts (which is probably unlikely, I know), then YubiKey support for mSecure won't help protect your bank account from being hacked. It would only help the weak credentials stored in mSecure from being discovered. To actually make those weak credentials stronger, you could use YubiKey directly on the bank account if it was supported by the bank's website. Of course, the most secure thing to do would be to make sure the password on the account was very strong, add YubiKey as a second factor of authentication for the bank account itself, then store the credentials in mSecure. At that point, YubiKey support for mSecure would make a difference but only marginally, since even if a thief had access to your bank's credentials through your mSecure app, they still wouldn't be able to get into your bank account without your YubiKey.


So far as I can see, the most important use case for providing protection to your online accounts with YubiKey support in mSecure is as follows. You make sure to have a very strong password set for your bank account that doesn't have direct YubiKey or 2-factor support. Then you store your bank's credentials in mSecure. At that point, the only way to get to your bank account is through either some type of brute force attack directly on the site which is highly unlikely to succeed, or to find the credentials in your password manager. If the password manager is secured with a strong password, it's already next to impossible to get access to the app. However, with a YubiKey, you could have a more memorable password to unlock mSecure, but it would still be safe, because the app can't be opened without your YubiKey.


There's something very important to remember though. For mSecure, the data is protected by an incredibly strong key called your Account Key, which is a randomly generated key. That protects your data stored in any cloud service from being compromised. Locally on your device, however, the security is a bit different. While the same key is used to protect your information, that key is encrypted with your account's password. So if you were to use a weaker password to unlock mSecure thinking that the YubiKey keeps you safe, that's only half correct. It would keep you safe from thieves getting access to your mSecure app, but it would make the data stored locally less secure. In the end, it is always best to have a very strong password set for EVERY access point to your sensitive information. That means a strong password for each online account, 2-factor authentication set directly on each account, and a strong password set for your mSecure account. If any of those passwords are made weaker for the sake of convenience, the security for your accounts is also weakened.

I can appreciate the technicalities involved with integrating a hardware key. After considering my need for it, I’ve boiled it down to a couple of reasons. I use random eighteen character passwords for everything, including mSecure. I change the mSecure password regularly, so unless I memorize it, I have to save it (ironically) in the app and use Face ID on my phone to look it up for use on a PC, Mac, etc. Sounds kind of silly and insecure. A hardware key would fix that annoyance and plug that hole. Also ironically, passwords are slowly being phased out. Hardware keys may or may not be the answer. Time will tell. For now, keys seem the best way to go and the most secure way to access passwords, etc. on many devices while they continue to be used. Fortunately for both of us, passwords aren’t going bye bye anytime soon and mSecure has a lot more utility than a password manager. That’s why I prefer it. Hiding all those data behind a key would make me feel as secure as current technology will allow.
My only issue with mSecure is that it requires me to use an additional app on top of this for another purpose! I wanted something that I could have ALL options together in one place. If you added to the field options the ability to attach a 2fa code generator then an account requesting the 6-8 digit code could be applied to that account as you added it to mSecure! But instead I’m left using Microsoft authentication as well as mSecure. I also use iCloud Keychain, but I’m slowly switching over. I just want to be able to do EVERYTHING in 1 place, and mSecure offers the ability to do it all other than generate codes!

Hi Melani,

mSecure does have the feature you talking about. Simply add a field to your record, and set it to the "One-Time Password" type. After you do that, you'll be able to use that record for two-factor authentication as long as the account you are using supports it.

Great to know @Mike. I didn't know mSecure supported a OTP field feature either. I'll start using that, too!

No problem at all @Jason! Some features like are a bit hidden and don't get a lot of attention on our site. It's only mentioned briefly at the bottom of the Features page on our site.

If you go to the Yubico website and do the quiz (https://www.yubico.com/ch/quiz/), you can see quite a few password managers which supports yubikey.

So I don't really get it why it's hard for msecure with MacOS when others manage it.

Having an external key/dongle would make it more secure, during setup I would need the key with me.


If the servers of msecure would be hacked, like in case of lastpass, there would be one more layer of security protecting the passwords.


@Manoj We are aware that other password managers have implemented Yubikey support for Mac, but it is not apparent how they were able to accomplish this. The documentation for the support does not provide a way to incorporate the Yubikey SDK directly inside Xcode, which is the main development tool for macOS. So far as we can tell, the only way to implement support is via some type of .NET integration, which would require a large-scale change to mSecure's architecture. We don't know how the other password managers implemented the feature, and it's not something they publish for their competition to see.


We haven't ruled out implementing the feature, but we weren't able to add it into version 6.1. Also, we do have questions now that every Mac developed with an M1 CPU will have Touch ID support. Since these Mac's moving forward will have a biometric authentication mechanism, do you feel it necessary to have an external dongle from Yubikey essentially offering the same type of security? If so, can you explain that in some detail?


Connexion ou Inscription pour poster un commentaire