Product Overview: Myki Password Manager and Authentication Tool

ou set it up on an Android or iPhone, associating your account with your phone number. On the device, it uses a six-digit PIN or fingerprint recognition for access, but there's no master password for you to memorize. Even so, it's intrinsically secured by two-factor authentication. A hacker would need two of three things to gain access: your phone (something you have), your lockscreen PIN and Myki PIN (something you know), or your fingerprint (something you are). Not likely!

 

Setting up another device to sync with Myki is beyond simple. You install the app on a mobile device, or install the browser extension for Chrome, Edge, Firefox, Opera, or Safari. Either way, the new installation displays a big QR code. The code's pixels shift subtly over time; I haven't seen that before. Snap the QR code with your phone and you've made the connection.

 

While it's possible to pair the browser extensions using any of your mobile devices, you really should use your primary smartphone. I found this out the hard way. I paired extensions using a secondary device, an Android Moto G. Later I was surprised to find that my activity in the extensions didn't sync to my smartphone, not until I opened the Moto G and unlocked Myki. It turns out the extension-to-device link is one-to-one. Only the device you used for pairing syncs, and only the device used for pairing gets authentication requests. I re-paired the extensions with my smartphone to easily fix that problem.

 

One additional thing to consider: At the time you pair an extension, you can choose whether to trust the device. If you do, you'll only need Myki authentication each time the extension connects. If not, you'll need to perform the easy authentication step for every login. The latter is more secure, naturally.

 

Because your passwords live entirely on your smartphone, they're secure against any kind of cloud-based attack. What they're not protected against is loss or theft of the smartphone. To guard against this eventuality, you should regularly store an encrypted backup of your passwords using the browser extension.

 

In addition to the Passwords tab, the browser extension includes tabs for Passwords, Payment Cards, Secure Notes, and Identities. To these categories the mobile apps add 2FAs (two-factor authentications, which I'll cover below) and ID Cards. As with passwords, whatever you enter in these tabs syncs to all your devices.

 

I like the way Myki automatically detects the payment card type based on the card number. It's a simple enough step, but many products ignore it. As you type in details like the name and expiry date, they appear on a card image. Myki cycles through a collection of colors for the cards you add. DashlaneFree at Dashlane goes a step beyond, letting you choose the color and add your bank's logo, so it's a snap to distinguish the silver Wells Fargo Visa from the green Citibank Mastercard. With Keeper, you don't even have to type in the card data; you can just snap it with the camera. I'd love to see Myki add that feature.

When you save an ID card, Myki does let you use the camera, but it just stores an image. You still need to type in all the details. Myki can save your passport, driver's license, insurance card, and several other types of identification. ID Cards don't appear in the browser extension, just in the mobile apps.

Password Generator

Just storing your existing passwords in Myki isn't enough to secure your accounts, especially if all those passwords are your pet iguana's name. You need to switch every site to a unique and unguessable password, and the only sensible way to get that done is by using a random password generator. Whether you use an app or a browser extension, Myki has you covered. However, the settings for the two areas have some curious differences.

When remembering passwords isn't your responsibility, you can use crazy-long strings of characters. Sadly, some password generators default to creating passwords so short as to be unsafe. If you don't change their default settings, RoboForm, SplashID, and Trend Micro Password Manager all dole out eight-character passwords. With Ascendo, it's even worse; this tool generates eight-letter passwords, with no numbers or symbols.

KeePass and Norton default to 20 characters, which is excellent, but Myki goes beyond that. By observation, in the app it defaults to 32 characters, with a minimum of four and a maximum of 99 characters. The browser extension defaults to 33 characters and lets you crank the length up to 200, which is more than many websites accept. In this case, the default lengths are just fine. The image below shows the mobile app's generator (left) and the browser extension's (right).

 


Where does MYKI store my passwords?

MYKI stores your passwords locally on MYKI-enabled devices.

What happens if I lose or change my phone or computer?

MYKI automatically stores backups on any device that you have MYKI installed on. This allows you to recover your data from another device in case something happens to your phone or computer . You can also create manual backups of MYKI that will generate a ‘.myki' file that you can store in any location that you deem secure.

How does MYKI communicate with my computer?

MYKI can be installed as a desktop application on your computer or you can pair your smartphone app with your computer through the MYKI browser extension that is installed in your browser of choice. You connect the app with the MYKI extension by scanning a QR code on your computer with the MYKI app (see steps here). This creates an encrypted end-to-end link between the MYKI app and the MYKI browser extension which allows your phone and computer to securely exchange passwords and other sensitive data.

How can I add my passwords to MYKI?

There are three ways for you to add your passwords to MYKI. The first one is through the MYKI app. You can click on the '+' sign and manually type in your username and your password for the selected website. The second method is via the chrome extension while you browse. Whenever you log into a website on your computer that has a paired MYKI chrome extension, MYKI will ask you to save the account into your MYKI app. Clicking the save button will add the account to MYKI which will allow MYKI to auto-fill it from that point onwards. The third method is to import your accounts from Google Chrome or another password manager via the MYKI chrome extension by following the steps in our guide (Import Your Existing Passwords To MYKI).

How can I sync my passwords to my computer?

Whether you have the MYKI desktop app installed or only rely on the browser extension that is paired to your smartphone, the data is seamlessly synced in an end-to-end encrypted manner between the different MYKI apps in the background. You do not need to do anything to move the data from one device to another.

How are my passwords encrypted while being sent to the computer?

In order to pair the MYKI app with your computer browser via the MYKI browser extension, you scan a QR code that contains an AES256-CBC encryption key that is only ever seen by the MYKI app and the MYKI Browser Extension. Whenever you request a passwords or other sensitive data from the MYKI app, the data is encrypted using this encryption key and sent over the Internet in an end-to-end encrypted manner to your computer. This ensures that the communication between the app and the computer is always secure. Whenever you disconnect, the MYKI app from your computer by either pressing the disconnect button on the app or in the extension, the key is deleted from both ends and the extension removes any sensitive data that it holds including any session data that it generated. Whenever you disconnect the MYKI app from a computer, you get logged out from all the accounts that MYKI logged you into which is useful in different use cases.

"Two-factor authentication (also known as 2FA) is a method of confirming a user's claimed identity by utilizing a combination of two different components. Two-factor authentication is a type of multi-factor authentication.
A good example from everyday life is the withdrawing of money from a cash machine; only the correct combination of a bank card (something that the user possesses) and a PIN (personal identification number, something that the user knows) allows the transaction to be carried out." (Wikipedia)

Online, 2FA is an additional time-sensitive one time code that you input alongside your username and your password in order to login. This prevents an attacker from accessing your account in case your password is compromised as the attacker would need to also have knowledge of this changing code.

The traditional way of receiving these 2FA codes is either via SMS which is slow and insecure or via an authenticator app such as Google Authenticator. The latter is more secure than the former but is extremely inconvenient due to the fact that you are required to unlock your phone, open the authenticator app and type the 6 digit 2FA code into your browser every time you want to login.

MYKI simplifies this process by holding these 2FA tokens for you and by inputting them alongside your username and password whenever you grant access to an account from your smartphone.

How can MYKI log me into accounts on my computer?

MYKI pairs with your computer via the MYKI browser extension that is installed in your web browser of choice or the MYKI Desktop app. You connect the apps together by scanning a QR code with your smartphone camera (Pairing The MYKI App) or by typing a pairing code. This creates an encrypted end-to-end link between the MYKI app and the MYKI browser extension which allows your phone and computer to securely exchange passwords and other sensitive data. Scanning a QR code is an optical way of transferring information between your phone and your browser which ensures that the encryption key is never exchanged over the Internet. Any intruder trying to intercept your network communication would not be able to decrypt the data being transmitted. Whenever the MYKI extension detects that you need to login to an account in your browser (when you visit https://gmail.com for example and you are logged out), it sends a login request to your smartphone via push notification. You can grant access from your phone by hard pressing on the notification and authenticate yourself with your fingerprint, a pin code or even faceID. This will encrypt your Gmail password and securely send it to your computer. The extension will then decrypt this password and fill the login form online logging you in successfully.

Can MYKI log me into apps and websites on my phone?

Yes, on both iOS and Android.

How can I connect the MYKI app with my computer?

You can pair the MYKI app with the MYKI Desktop app or with your computer browser via the MYKI browser extension which allows you to securely exchange passwords and other sensitive data between your phone and your computer. The MYKI app also allows you to store a secure backup of your accounts on your computer in order to recover your accounts in case something happens to your smartphone. In order to pair MYKI with your computer, follow the steps outlined in this guide.

Is the connection between MYKI and my computer secure?

MYKI uses the AES256-CBC encryption algorithm which is regarded as one of the most secure encryption standards. This ensures that your data is safe while being transmitted. The AES encryption key is shared between the phone and the extension via a QR code that you scan with the MYKI app using your smartphone camera which means that the encryption key is never sent across the internet. The key is generated by the browser extension and optically shared with the MYKI app. This is regarded as one of the most secure ways of exchanging an AES encryption key.