I’m going to talk about a password manager called 「F-Secure Key」(KEY from now on) by a Finnish SW security company, F-Secure. Probably KEY isn’t the most popular password manager in fact it’s rare to see it in any “best password managers in 2016” articles. However, F-Secure is a highly authoritative security house which has been making very popular anti-virus softwares since 1994. If you watch TED videos, you probably have watched great talks about Cyber Security by Mikko Hyppönen(If you haven’t you should). He is a Chief Research Officer of F-Secure. Anyway I just wanted to point out that F-Secure has credit.
Here’s the index of this text:
- Products (Free/premium)
There are two products for KEY; free and paid(premium). 1-year is 29.90 euros and 2-year 49.90. What are the differences? Synchronizability.
Features – accessible only on registered devices
The key difference KEY and other password managers is that KEY stores your passwords ONLY in your device NOT in their server i.e., if you lose your device your passwords are lost. There is no way to get them back. Usually password managers store your data in their server encrypted. For instance, Dashlane stores your data which is encrypted by your master key and recognize you by your device. So they don’t need your master password for searching your data neither do they know your master password. You can see this as a lack of feature but this leaves out a fundamental security risk – hacked servers. In fact LastPass’ server was hacked in 2015.
Automatic synchronization is available for premium users. Free users have to manually sync passwords. I bought 1-year subscription for half of its price(14 euros) thanks to their offer. Syncing between devices is done by two-factor authentication. First, you type in a unique key that is generated by OTP and then your master key. This is only to register your device in F-Secure server. Actual data synchronization is done client-to-server. “Wait, you said KEY stores your passwords only in your local devices!”. I’m sorry but what I really meant is that it’s only accessible on registered devices. They do store premium users’ encrypted data for synchronization.
The client-to-server communication was explained very little on F-Secure website(except that it uses TLS/SSL). I explored with KEY: Change master password on one device and log in with another device in flight mode and then connect to the Internet. Add new password and turn off the internet connection. Start KEY on another device
After these I found out KEY is constantly talking to the server and the encrypted data is passed like other password managers. The key difference between KEY and others is that your data is anonymous(you register to KEY with a premium code in your receipt not your e-mail address or name) so no one can trace back the owner of the data even if they stole the encrypted data. I asked F-Secure how is the data stored in server and if I could access the data with a new device and I got this answer: “It’s as an encrypted blob. And you’d need to have a sync code. So, no device, no access. If the devices go away, the blob of data will be orphaned.”. Did you get it? NO DEVICE, NO DATA.
Technology/Security – at the cutting edge(along with everyone)
There are two main security tasks for a password manager: securing your master password and your data(passwords). For securing your master password, KEY uses a popular password security practice, PBKDF2 – it takes your password and generates an encryption key with a salt using HMAC-SHA256 hashing algorithm with 20 000 iterations. (According to Apple iOS 9.3 security guide they also use PBKDF2/SHA256 with 10 000 iterations. LastPass uses the same technology with options from 5 000 to 200 000 iterations) Then all your data is encrypted with that encryption key using AES-256 encryption in CCM mode(Read F-Secure’s explanation). According to F-Secure your master password or encryption key are stored only locally. Most of the technologies here are used in other password managers as well which means these are proved to be secure but, it also means they are all equally secure at least conceptually. However it all comes down to implementation details, laws and etc. but that is beyond of the scope of this article.
UI/UX – UI is A+, UX is B-
A UI was pretty good. It’s very simple and easy. Syncing devices was just like using any other OTP services like Google Authenticator or Telegram. However I was shocked by their SW update system. For mac users you have to download the latest install image from F-Secure website and replace it with the old one. I don’t know why you couldn’t simply click an update button inside the app but there might be a security issue but it’s just so strange. Also figuring out the version number in Mac was quite confusing. However, if you read reviews from 2015, they have made many updates according to the feedback so I think they are really listening and trying to make KEY better.
Usability – Conveniency = 1/Security
KEY is one of the most restrictive password managers. The data is accessible only on registered devices and master passwords are only recoverable with a recovery QR code. In other words, neither you can access your data from F-Secure server nor there is a “Forgot password” button. It is certainly not the most convenient but so far I haven’t had any trouble. Its features are very minimal compared to other services but I don’t mind it as what I want from a password manager is security not unnecessary fanciness.
- Restrictive security
- Good tech
- Simple and easy UI
- F-Secure & Mikko Hyppönen guarantee
- Finnish company(And yes Finland is in EU)
- Affordable price
- TouchID login in iOS
- What happens if I lose my phone while travelling if that happened to be the only device I carry with me? => Chain all accounts to one account where you can reset passwords.
- Lack of features (counter effect of security?)
- Exported data is a plain text file(.fsk) which looks like a JSON
- No restriction on failed logins(But no one can try remotely so relax…?)
- Lack of complete documentation about how KEY works. (Please benchmark Protonmail)
- Poor UX
- Poor marketing
For Aalto University students, F-Secure is one of the superstar companies which are started by Aalto graduates. I also had an adoration for F-Secure and that was why I chose KEY not Dashlane or LastPass. And I’m very happy with my decision.
One thing F-Secure could do better is marketing. I don’t know why they wouldn’t emphasize on their only-accessible-on-device system properly. In fact, it never does say it. I agree with F-Secure the anonymous user system adds extra layer of security.
I’m I strongly recommend you F-Secure KEY if you are to start using a password manager.
Edit(2016 July 21st)
Just realized that F-Secure KEY is not available on Linux and F-Secure doesn’t have a plan for covering Linux. Considering their market share I think they never will. This may be the biggest downside of on-device-access-only. I don’t know if I will be able to continue my subscription for next year if KEY won’t support Linux. Some people are running KEY on Linux using Wine but that is a true solution.