Myki rolls out a password manager that locks all your info away on your phone

Everything is getting hacked to the point that its getting kind of ridiculous and everyone needs to have secure passwords. The trouble, however, is making them tough to crack and also being able to remember them. Thats led to a blossoming ecosystem of password management services like OnePassword.

But if you ask Antoine Vincent Jebaraand Priscilla Elora Sharuk, thats not going far enough. Instead of locking those passwords away online and accessing them when you need to log in, their startup Myki looks to keep them locked away on your phone instead. Users can activate the Myki Chrome extension to log into various services through their phone, but the passwords are never kept on remote servers and even administrators dont know what they are once new passwords are issued. The company launched at TechCrunch Disrupt SF 2016.

A big concern is the passwords are still in the cloud and people dontwant them to have access, Jebara said. Even when it comes to lawful access, in our case we dont hold any sensitive info, which you cant giveaway.We dont want to have it, its your right to own and known where your proprietary data is.

Heres how it works: When a user decides to log into a service it can be anything, really theyll choose to log in through Myki. They then authenticate that login on their phone through the Myki app, which is locked by fingerprint or PIN in addition to managed remotely, and the password and login is dropped into the browser.

Through an administrative panel, users can authorize a variety of services, whether traditional browser logins or complex enterprise software, for login through Myki. The company generates passwords for those services that are then passed over to the phone and kept there instead of online. The passwords and login signals relay back and forth from the phone in order to log into various services, and administrators can assign passwords to be reset on a regular basis.

Myki is also constantly reporting back information about the logins. The administrative panel logs physical addresses, phone status (even battery level), IP addresses, geographic area, times and other kinds of irregular behavior, aiming to keep as many tabs on your password usage as possible. If something gets breached (through user fault or just a general hack) administrators can instantly trigger a mass reset, issuing new passwords to every user. Users operate the app using their phone number rather than typical credentials in an attempt to ensure that everything revolves around owning and operating a phone.

mykiWhatinterests us is that the user is the owner of the phone, Jebara said.If GitHub gets breached, you need to do a mass reset of passwords this takes time in the enterprise, and you have to pray for [users]not to change the password with only a slight variation.

The goal here is to ensure that passwords remain complex, difficult to crack and easily accessible. Users have the option of looking at the passwords within the app (though an administrator can actually disable this, even though they dont actually have access to the password), but they are designed to be kept on the device and away from remote servers that could potentially be breached.

The device control can be extremely granular, all the way to allowing only certain IP addresses (such as in the case of different floors on buildings of larger companies) or even locking geographic regions. Thats important to keep the right apps only being used at the right time and making sure everything is used in a secure environment.

Heres another cool one: Users can actually share their login credentials with one another on a highly regulated basis. So if I need to give one of my colleagues a login to Getty or Shutterstock, for example, I can authorize them to use my account on a limited basis, and revoke that access at any time. Again, theyll never see the password thats just for the account owner.

Right now, the company isnt built into various mobile device management providers, but thats another welcome opportunity, Jebara said. We like the idea of bundling with MDM providers because they do root detection. If you root your phone thats where we draw the line. If you use an MDM provider and push the key, they do root the detection, and we do access management, and it becomes more powerful.

Theres always a risk for sticking all your passwords in one place. If your phone is compromised for some reason, like stolen by someone who somehow manages to crack the core iOS security and Myki, theyll have access to everything to which youve given Myki access. To get around that obviously use all the existing security features Myki users can quickly revoke access to the device.

Right now the company is targeting companies as primary providers, but theres obviously a consumer hook to it, as well. If users start relying on it for their traditional work login, they may want to tie in their Gmail and Facebook passwords and IT managers wont have access to that information, Jebara said.

Theres a reason all these password managers are reaching popularity and companies are actively encouraging them. Often, user password behavior is pretty bad. Theyll re-use the same password for multiple accounts, the passwords wont be strong, and they arent changed that often. Thats prompted a lot of breaches in the past several years, with hundreds of millions of credentials hitting the web.

With Myki, Jebara is hoping to take that level of security one step further, and make it even easier to log in and out of services. Time will tell if having everything locked away on your phone will work out in their favor but its certainly something that Apple is trying to do, keeping a lot of operations on the phone instead of the cloud. The fewer the touch points where individuals can capture sensitive information, the better, Jebara said.

About the Author

Leave a Comment:

All fields with “*” are required

Leave a Comment:

All fields with “*” are required