Support mSecure
Major security gap - your phone PIN alone can unlock your MSecure database
Mike - mSecure
Hi Jason,
Thank you for bringing this to our attention. While we do not believe that this means that customers using fingerprint access with mSecure 5 on Android have had their information compromised, specially since most customers using fingerprint to unlock mSecure 5 also use their fingerprint to unlock their device, we do understand how this is less than ideal. We will be addressing this issue in our next update and make sure to require a customer's mSecure account password after the fingerprint settings for a device have changed.
Unless I'm mistaken there is NO such thing as fingerprint-only access to an Android device. You ALWAYS have to have a backup PIN code and that backup PIN code whether you use it or not. I'd agree with you that the majority of the time someone would be using their fingerprint to unlock the phone, but I was thinking of any of the following scenarios:
- many of my clients to whom I've recommended MSecure will allow their kids or other family members to know their PIN so they can play games, watch videos, etc. They wouldn't necessarily give those same people access to everything in their MSecure database, but in this case they have effectively done so.
- People might give their IT person their phone PIN for the purposes of fixing something on the phone, but in doing so would not expect that IT person would have full access to their entire MSecure database
- any time the phone power cycles or has been off a certain amount of time a PIN will be required to access the device
- in cold weather (gloves) or when my phone is mounted to a stand or my bike I often use a PIN rather than fingerprint since I can't easily swipe
Can you confirm that this does not apply to Apple products? It appears that mSecure5 does force the use of a password if any touch ID change is made on an iPhone.
Mike - mSecure
Hi Andy,
Yes, any changes to Touch ID on iOS will result in having to enter your mSecure account password in order to unlock the app. You'll have to set up Touch ID in our settings afterwards.
Jason
Like most people I consider my MSecure database to merit a higher level of security than my phone. While my phone is always locked, the MSecure database is a vault within a vault.
Because a phone PIN or pattern can be observed in many situations (and these days you're highly likely to have entered it at least once while you're in range of a CCTV) my MSecure database requires something more.
I do have Fingerprint ID as an option for logging into my MSecure database. Many apps (Bank of America, 1Password) that allow fingerprint ID have a special feature wherein when there's any new fingerprint added, fingerprints will no longer unlock the database UNTIL the master password is entered and fingerprints are re-enabled. Today I learned that MSecure does not have that same restriction.
As a result, someone who observed my PIN (or to whom I voluntarily gave my PIN) no longer only has access to my phone. They can now go into the Fingerprint ID settings, add one of their own fingerprints, and immediately log into my MSecure database.
This means that if you use Fingerprint ID on your MSecure database, then whatever locks your phone is all someone needs to gain full access to your MSecure database. Until this is fixed anyone whose PIN is known to others and who uses FingerprintID for their MSecure database should consider their MSecure database as being shared as well.
I captured the screens from B of A and 1Password here: https://i.imgur.com/Ytuq0yT.png showing how their fingerprint login works after any changes to the enrolled fingerprints.
I am using MSecure for Android version 5.5.4.1102