Review: Myki password manager.

Updated 07 July 2018.

Contents of this article.

  1. Introduction.
  2. What is Myki?
  3. Pros.
  4. Cons.
  5. Conclusion.
  6. Screenshots.
  7. Criteria used for testing.

1. Introduction.

Thanks to the myriad of accounts created on different platforms, storing passwords is a major source of headache. This problem itself has led to the creation of countless password management services. The conventional way these password managers work is for you to go online, log in and choose the secret you wish to use. Myki goes a step further by storing the secrets on your phone.

2. What is Myki?

Myki is an authenticator and password manager that comes in a mobile app; it also has a browser extension that’s compatible with different types of browsers – Chrome, Opera, Safari, and Mozilla Firefox. You have to snap the QR code from the app to pair the browser and the app on your device. What sets Myki apart from other password managers and authenticators is that your passwords are not stored on their servers or in the cloud rather, it is stored in your pocket i.e. your mobile phone.
Website: https://myki.co/

3. Pros.

• The interface is simple and intuitive.
• You can pair your passwords with different computers, your login will be requested by using a fingerprint or a pin code.
• Myki does not store your browsing data, neither does it log your mouse or keystroke movements. (See criteria used for testing; Zero knowledge).
• Your passwords are stored on your phone only, they do not have a record or any back up in the cloud. (See criteria used for testing; Zero knowledge).
• All traffic between your phone, Myki’s servers and your browser extension are encrypted. (See criteria used for testing; End-to-end-encryption and implementation).
• Myki uses AES-256 to encrypt passwords that are sent between the phone and the browser extension. This exchange occurred when the QR code for the extension is s canned from the phone to the system browser. (See criteria used for testing; End-to-end- encryption and implementation).
• Myki uses public key cryptography to authenticate users, this key is shared with the server, upon authentication the server sends a challenge that’s signed by the phone. Pin code or the fingerprint sensor is used to unlock the private key to sign the challenge which the server verifies and allows the user access. (See criteria used for testing; End- to-end-encryption and implementation).
• Myki can remotely log you out of any account on your computer from the Myki app on your phone.
• Myki stores and auto-fills two-factor authentication tokens.
• In an event where there is a data breach, your vital information remains safe. Myki doesn’t store sensitive data so they can’t be forced or subpoenaed. (See criteria used for testing; Zero knowledge).
• There’s no need for master passwords or passphrase.
• Myki lets you pair and login on an unlimited number of computers.
• Myki is available on various devices tablets, desktops, laptops (browser extensions), Android and iOS. (See criteria used for testing; Multiplatform).
• Myki’s support is fast, efficient and responsive.
• Myki supports credit card integration, it will autofill your credit card data when you’re online the same way it does your password.
• You can share passwords with any other Myki user online, the password is encrypted in the user’s smartphone via a P2P encrypted connection. The recipient cannot see the password on the app and on the browser. The recipient uses the app to approve the login request and gets access to the account they wish to log in.
• You can also revoke access to the recipient whenever you wish.
• Taking screenshots while using the app is disabled.
• Myki has a password creator embedded in the chrome extension which is a handy tool for creating complex undecipherable passwords.
• You can have several accounts belonging to a team on the same device. With each team, you have access to all features on Myki e.g. you can create groups with each group having a set of permissions like setting up permissions for agents, system admins, the accounting department, friends, family etc. The price is set per team and you’d have to pay for the number of users on that team.

4. Cons.

• The Myki app inserts passwords into the page, which implies that a hacker, state- sponsored criminal or a tech-savvy user can interrupt the JavaScript execution of the page and inspect the code in order to look for the password.
• Myki is expensive to use.
• Some features do not work on older Android versions like the location feature which is not available in Android 6.0 Lollipop.
• Screen recording apps can be used to record passwords/actions when the app is in use.
• Myki is not open-source. (See criteria used for testing; open-source).
• From the dashboard when creating a secret, it wouldn’t save sometimes if the internet connection was slow.
• URLs are not encrypted, this is how they retrieve icons for websites. We don’t know what they do with this tracking.

5. Conclusion.

Myki ultimately fulfills its goal which is to make sure passwords maintain a certain level of complexity so that it would be difficult to decode, decrypt, hack or access in any way. This password manager is rated highly because it uses your phone to store the passwords rather than in the cloud or on their remote servers which could be breached, this gives you the assurance that your secrets are in your hands, literally.

You can see the passwords in the app and if you wish you can also decide to disable it even without being in contact with the phone physically. In a situation where your phone is stolen or it gets into the hands of people with malicious intent, you can revoke access to that device. The issue we have with the Myki app is we do not have access to their source code to review it i.e. it’s not open source.

Myki also keeps tabs of your physical addresses, IP addresses, geographic area, login data, battery level etc. They do this through the administrative panel. The aim of this is to take note of actions that are out of place or irregular behavior noticed on the app. Should a hack occur on Myki, either from the user’s end or a general hack, Myki admin can immediately administer a mass reset and they’ll provide a new set of passwords to each and every user. Their support staff is very responsive and whatever bugs noticed that’s reported to them, they take into consideration and act on it swiftly. All in all, this app comes highly rated and is a good fit for individuals and organizations alike.

6. Screenshots.

Screenshot 1: Myki UI.
Screenshot 2: Secret login request.
Screenshot 3: Sharing center.
Screenshot 4: Example of a secret.

7. Criteria used for testing:

• Zero knowledge: Myki is not fully zero knowledge as of this time. Myki stores metadata such as auto-generated unique ID’s of accounts you have stored, your phone number for recovery and ID’s of accounts shared with other users in order to facilitate the revocation of access. But they do not record your browsing data, neither do they log your mouse or keystroke movements.

• End-to-end-encryption and implementation: Myki ensures full end-to-end-encryption by using the AES256-CBC encryption algorithm which is considered to be one of the most secure encryption standards. This algorithm guarantees your data safety during transfers. This key is shared between your mobile device and the browser extension through the QR code that you’ll scan using your camera from the Myki app, this shows that none of your encryption keys is sent to the web. The AES key is created by your browser extension and is visually connected to Myki. There is no better way to secure an encryption key than this way.

• Open-source: Myki is not open source. This is one of the major cons of the app as we can’t review or verify the contents of the source code.

• Multiplatform: Myki is available on mobile i.e. iOS and Android, while on PC it can be used as an extension on Google Chrome, Firefox, Safari and Opera.

• Resistance to state-sponsored criminals: They are police, prosecutors etc. Their crimes are considered legal since the state institutions have been corrupted and there’s no one to put them in check. They are the most dangerous sort of criminals either to an individual or to a country. If they’ve done something illegal, they can cover it up in whatever way they like. They can intercept and read IMAP, POP3, TLS, and SSL. They can also spoof your email provider’s SSL certificate. They can access your SMS and emails, meaning a recovery option is often an easy form of attack for them. That’s why you should always use encryption software, encrypt your devices, and buy hardware outside the country you operate.

8. Sources.

Myki For Teams – Product Hunt. (2018). Retrieved from: https://www.producthunt.com/posts/myki-for-teams

Myki rolls out a password manager that locks all your info away on your phone. (2018). Retrieved from: https://techcrunch.com/2016/09/13/myki-rolls-out-a-password-manager-that-locks-all-your-info-away-on-your-phone/

Password Fish – Product Hunt. (2018). Retrieved from: https://www.producthunt.com/posts/password-fish

Secure Offline Storage – Myki Password Manager. (2018). Retrieved from: https://myki.co/features/offline-storage

Solution, H. (2018). How Myki, with its cloudless solution, plans to be the death of the password. Retrieved from: https://yourstory.com/2017/10/app-fridays-myki-death-to-passwords/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s