F-Secure Key – Review 2018

The whole point of using a password manager is that it remembers all your passwords, leaving you free to change them to complex, random values instead of weak-but-memorable ones like your dog’s name, or your birthday. F-Secure KEY handles the basic task of remembering your passwords, and it can sync across all your Windows, macOS, Android, and iOS devices. The current version has added a few features since I last tested it, but other password managers have evolved too, adding advanced features like automatic password updates, secure credential sharing, and password inheritance. F-Secure KEY offers none of these, so it isn’t gaining ground on the competition.

For $32.99 per year, you can install F-Secure KEY on all your devices and freely sync your data among them. If, despite the company’s assurances about the security and anonymity of your data, you prefer not to have passwords stored in the cloud, that’s fine; you don’t have to sync. And if you forego cloud storage and syncing, the product is free. Dashlane, too, is free if you forego syncing. If you want both the convenience of syncing and the security of staying away from the cloud, Sticky Password Premium gives you the option to sync only across your local network.

Getting Started

After a quick and simple install, F-Secure KEY invites you to either create a new account by entering a master password, or link your device an existing premium account. Note that you don’t enter a username or email account. Your login is anonymous, authenticated by your knowledge of the master password and your possession of a trusted device. oneID uses a similar trusted-device system, without even requiring a master password. But where oneID lets you revoke trust for a lost device, F-Secure can’t do the same, due to your account’s anonymity. If you do lose a trusted device, be sure to change your master password immediately.

As you type your master password, the rating rises from weak to moderate and all the way to strong. The rating system has improved since my last review; at that time it called the very weak “password” moderately strong. The current edition requires use of all character sets and downgrades passwords that contain known words or sequences like qwerty or 12345.

Like Keeper Password Manager & Digital Vault, Dashlane, and most competing products, F-Secure KEY’s master password creation dialog points out that if you forget the password, the company just can’t help you. Nobody at F-Secure knows your password, and nobody there can decrypt your data—even if ordered to by law enforcement.

Of course, that leaves you up a creek if you do forget the master password, but F-Secure has an unusual remedy. Once you’ve created your master password it prompts you to save a Recovery Code, like a QR-Code. You print the code and file it somewhere safe, perhaps in a fireproof document safe. If you do lose your master password, you can regain control by snapping the code with your mobile device. Clever!

Here’s a warning; don’t ever leave your desk with F-Secure KEY open. A snoop could have a field day guessing your master password. How? On the page where you change your master password, the field for entering the old master password starts off marked Invalid. When you (or the snoop) type the correct master key, it immediately changes to Valid. That’s not good. What should happen is that you type the old password, enter the new one twice, and click to make the change. Only at that point does it check the validity of the old master. Guessing passwords is a lot faster when the snoop gets an immediate prize for a correct guess.

Manual Password Entry

If you’re accustomed to the automated password capture and replay offered by LogMeOnce Password Management Suite Ultimate, RoboForm, and most competing products, F-Secure KEY may disappoint. Creation of login entries is a completely manual affair. You enter a title, username, password, and URL, along with any notes you deem important. The easiest way to get the URL right is to navigate to the login screen and copy it from the Address bar.

F-Secure KEY Add Entry

As with KeePass, you can choose a color and an icon for each entry. But unlike KeePass, F-Secure KEY doesn’t let you tag, group, or otherwise organize your entries. They show up in one big alphabetic list. Once you gather a few dozen, you’ll find yourself using the search box quite a bit.

One way to avoid all that typing is to import from an existing password manager. F-Secure KEY can import from LastPass, Dashlane, Symantec Norton Identity Safe, and a half-dozen others. It can also export your passwords to an XML-like file. Note, though, that the login credentials appear as plain text in this file; treat it as highly sensitive.

Password Replay

If you rely on Chrome or Firefox as your main browser, you can enable automated password replay. In the Settings dialog, choosing Browser autofill reveals buttons to install the Chrome and Firefox extensions. In an unusual touch, completing the installation requires copying a lengthy authorization key from the settings dialog to the extension. Once the extensions are active, F-Secure puts a key icon in the username field; clicking it gets you a list of matching logins.

Those using Internet Explorer or another browser must select System autofill rather than Browser autofill in the Settings dialog. In the past, using this feature required pressing a special key combination. The current edition puts a key icon in the username field, just as with Chrome and Firefox. However, you can’t have use Browser autofill and System autofill at once. If you switch between browsers frequently, this could be irksome.

SecurityWatch

Like Keeper, LastPass, RoboForm, and a few others, F-Secure can manage application passwords, but only if you’ve chosen System autofill. You create an application password entry just like any other entry, but when it comes to the URL field you simply drag and drop the application itself. F-Secure puts a key icon in the username field, just as it does in Internet Explorer. However, it lists all your logins, not just ones matching the application. Support for application passwords is nice, but it’s sad that you can’t use it and still autofill in Chrome and Firefox.

Password Generator and Security

If you install a password manager but leave all your passwords set to “password” or “123456,” you haven’t accomplished much. You need to change those passwords to more complex ones. Hey, you don’t have to remember them, so they can be long and random. Like most competing products, F-Secure KEY offers to generate complex, random passwords for you.

The password generator becomes available when you’re creating or editing an entry. It lets you choose which character types to include in the password: lowercase letters, uppercase letters, digits, and punctuation. All four are enabled unless you actively exclude them.

Password length is always an issue. I’m not satisfied with the eight-character passwords generated using the default settings in Norton Identity Safe. Generating 30-character passwords by default, Myki Password Manager & Authenticator had the longest default, until now. However, F-Secure takes the default-length crown, creating 32-character passwords out of the box.

If you walk away from your desk with your password manager unlocked, an office snoop could grab your private data. Like most password managers, F-Secure KEY can automatically lock up after a period of inactivity. By default, it locks after five minutes. The other choices are an odd collection: 30 minutes, 60 minutes, 10 hours, or one week.

Sync and Mobile

Syncing across multiple devices is a fantastic feature for those of us who don’t just stick to the desktop. Yes, the PC or Mac desktop is best for creating password entries. Once they’re created, you can say goodbye to the onerous task of typing “3ephADE@&anE(>k” on a diminutive smartphone keyboard.

Some password managers require special authorization to sync with a new device, such as entering a verification code sent to your smartphone or email. F-Secure KEY does things a bit differently. You start by installing the product on the device of your choice and, when prompted, choosing to connect rather than create a new account. Note that while the app appears in the Apple Store and Play Store, Mac users must download direct from F-Secure.

F-Secure KEY Mobile

Back on the original device, you generate a synchronization code, which is valid for 60 seconds. Enter that code on the new device, enter your master password, and you’re connected. From now on, changes and additions made on one device sync to all of them. You can only add a new device for syncing if you’re logged in on an existing trusted device.

On the Apple MacBook Air 13-Inch I used for testing, the app looked nearly identical to the Windows edition. It even offered Browser autofill for Chrome and Firefox, System autofill for other browsers. However, in testing I found that system autofill doesn’t work, and my company contact confirmed that the product only supports Chrome and Firefox on the Mac.

For mobile testing, I installed the app on an Apple iPhone SE and a Moto G5 Plus. The product’s appearance on both mobile platforms looked much like its Windows incarnation, with one big exception. In addition to the alphabetic list of logins, a Favorites page displays up to eight of your favorite logins, icon-only, in a ring. New since my last review, your favorite selections now sync between devices. You can authenticate with a fingerprint on mobile devices that support it.

On Android devices, F-Secure KEY installs a special keyboard input method that allows it to fill login credentials in the browser. You tap the icon for an entry, which opens it in the browser. Then you select the special keyboard and tap the button corresponding to the name of the entry. In testing on a Motorola Moto G5 Plus, I found no way to activate the alternate keyboard, even after consulting the F-Secure knowledge base. I have seen this feature working on other Android devices, however.

Dashlane, LastPass, Sticky Password, and others manage to fill credentials under iOS by adding to the Share icon menu. Another common option is to offer a browser inside the password manager. F-Secure Key does neither, though iOS users can fill credentials using copy and paste. My F-Secure contacts tell me they plan to improve this for iOS 12.

On mobile devices only, F-Secure offers Breach alerts. These alerts provide notification when a popular website has been hacked or otherwise breached. Naturally you should change your password for any breached site. There’s also a handy icon to share the warning via social media.

Password Status

New since my last review, F-Secure KEY offers a simple password status report. It lists all saved passwords and flags them as Strong, Moderate, or Weak. You can click to see passwords matching just one of those ratings, or to see passwords that you’ve used more than once. The status check also flags common passwords; if you use “password” for a site, you’ll get zinged.

You don’t get help with improving weak or duplicate passwords, other than a button that opens the site’s data for editing within the password manager. What you must do is log into the site and navigate to the password change page. Then generate a new password within the editor, and paste that password into the password change page. Password Boss Premium and RoboForm, among others, make things a bit easier. You click a link to go to the site’s password change page, and the password manager captures your change.

F-Secure KEY Status

Dashlane, LogMeOnce, and LastPass take the concept of fixing weak passwords to the next level. For supported websites, these products can totally automate the password change process, making the change online and recording it in the password collection. Keeper Password Manager & Digital Vault offers one-click updates once you navigate to the password-change page, but, according to the designers, its zero-knowledge policy precludes totally automating the process.

Credit Card Storage

Filling in your username and password on a login page isn’t much different from filling in your personal data on a shopping site’s web form. Many password managers offer automated form filling, to one degree or another. RoboForm Everywhere is the long-time master here, offering multiple identities and multiple values for each data field. Dashlane also does well, putting a menu of options right next to the fields you’re filling.

With the current version, F-Secure KEY dips a toe into personal data storage. Specifically, you can use it to save any number of credit cards. It even includes icons for the major credit card types. Disappointingly, all it does is store and sync the data. Using that data to fill a web form is a matter of copy and paste.

What’s Not Here

Since my last review, F-Secure KEY has added a basic password-rating system, but not the automated password update featured in a few other products. It now stores credit card data, but doesn’t use it to help you fill web forms. And where most password managers automate the process of capturing passwords as you log in, F-Secure still requires you to create password records by hand.

Password Boss, AgileBits 1Password, and most of the top password managers include a provision to securely share credentials with a trusted partner or friend. In some cases, you can share use of the password without making it visible. In others, sharing is two-way, so your partner’s changes sync back to your own account. Secure sharing isn’t a feature of F-Secure KEY.

On a related (but grimmer) note, some products provide for handing passwords to your heir in the event of your death. LastPass, DashLane, and LogMeOnce are among the few that offer this feature. Typically, there’s a waiting period before inheritance, to prevent an heir from jumping the gun. Zoho Vault works a bit differently, allowing an administrator to take control of a departing employee’s work-related passwords. Password inheritance, too, isn’t something you get from F-Secure.

When I last reviewed this product, all you got for support was an online FAQ and community discussion pages. I’m pleased to see that F-Secure now offers live chat support.

Good, Not Great

F-Secure KEY performs the basic tasks a password manager should, though it doesn’t automate password capture. The company has a great reputation for security, and the current version has added a few new touches since my last review. The problem is, the competition has been evolving as well. The best password managers, even the free ones, do things that this product doesn’t. Keeper Password Manager & Digital Vault costs a bit less than F-Secure KEY, and Dashlane doesn’t cost much more. Keeper and Dashlane take Editors’ Choice honors for full-featured password management.

Source link