Password Managers vs heylogin
Passwordless Login Experience
For a passwordless login experience, until now companies could only connect their SaaS solutions with a Single Sign-On (SSO) service, such as Okta or Duo. This more than doubles the required software budget, well documented at sso.tax. Even if the budget is available, many websites do not support SSO functionality. For social media, government agencies, shopping portals and similar sites, only password managers remain as a solution. Solutions, like 1Password, LastPass and Dashlane require users to come up with a particularly complex master password that needs to be typed in regularly.heylogin solves this problem. Although we are technically a password manager, we offer the login experience of a modern single sign-on.
Swipe-to-Login replaces Master-Password
Legacy password managers require users to remember and regularly enter a Master Password. A Master Password must be complex and kept private, as it is the single secret to all information. This allows attackers to guess the user's password by trying a lot of variations, called an offline brute force attack. To protect against these attacks, a second factor is required. Legacy password managers only provide these as an optional feature, which is rarely activated since it makes their usage inconvenient.
With heylogin, a Master Password is no longer necessary. Instead, we use the secure element present in modern smartphones to provide our "Swipe to Login". Secure elements are security chips that protect secrets against unauthorized access and brute force attacks. This makes heylogin two-factor secure by design because logins are protected by the smartphone (1. factor: posession) and the security mechanism on the smartphone itself (2. factor: PIN/bioemtric). heylogin is not just more secure, it's also easier to use.
Comparison of login solutions
.png)
2) Dashlane and LastPass only synchronize with a delay or when updating via button. KeePass must be synchronized manually.
3) 2-factor security in system solutions is either not available or only works if smartphones of the provider are also used.
4) Conventional password managers are only protected with a master password (knowledge) by default. Factors of possession and biometrics are optional and result in a degraded user experience.
5) SSO solutions are only passwordless when properly configured or when using modern solutions (e.g. Hypr).*All prices plus VAT
Comparison of the safety architectures
LastPass security
The master password is the one factor in LastPass that is actually used for end-to-end encryption. It is important to note that the master password is chosen by the user. This means that it is not perfectly random, but patterns are created by the human mindset.
Key Stretching
From this master password, a key is derived by key stretching, which is used for the end-to-end encryption of the vault. In the case of LastPass, PBKDF2 is used with 100,100 iterations. This encrypted vault is then synchronised with the cloud.
2-Factor Authentication (2FA)
2FA mechanisms, which can be optionally set in LastPass, are an additional protection when accessing the cloud infrastructure. 2FA is not part of the end-to-end encryption.
From the point of view of the attacker
The LastPass attackers gained access to the cloud infrastructure and bypassed the protective mechanisms of the LastPass employees. This enabled them to steal the encrypted vaults and are now trying to decrypt them.
Why is 2FA useless?
The attackers managed to gain access to the cloud storage. They probably also had to overcome the 2FA mechanisms of the LastPass employees. Now that they were able to steal all encrypted vaults, the individually set 2FA mechanisms of the customers are useless, as the vaults can now be cracked "offline".
Offline Brute Force Attack
The attacker can try through an extremely large number of possible master passwords automatically. The only thing that slows down this attack is the key-stretching function. This is what these functions were designed for, but they have to be adapted regularly because the attackers also have better and better hardware. Unfortunately, PBKDF2 is outdated with 100,100 iterations. Currently, either 600,000 iterations are recommended (OWASP recommendation) or even better Argon2, which has been standardised by cryptologists since 2015. With a 12-digit master password chosen by the user (sic!), the average cost to the attacker is assumed to be 100 USD.
The solution
1Password has introduced the "Secret Key" as a solution as another factor besides the master password. They recommend printing this random string because it is needed when setting up new devices and it must not be lost. Of course, this leads to a worse user experience, poorer user acceptance and an increased support workload.
No Master Password
Wir bei heylogin verzichten komplett auf ein vom Nutzer gewähltes Master-Passwort. At heylogin, we completely dispense with a master password chosen by the user. Instead, we generate the key for end-to-end encryption directly in the smartphone's security chip. This key is directly 256 bit secure, perfectly random and contains no human patterns.
2-factor secure end-to-end encryption
Security chips in smartphones must be unlocked by the user when used. This is done by fingerprint, face unlock or PIN. The number of incorrect attempts is limited, so that one cannot, for example, try through an infinite number of PINs. An attacker must therefore not only physically steal the smartphone (1st factor), but also unlock the security chip with a 2nd factor. That alone is extremely difficult and the attack does not scale, since an attacker would have to steal and crack quite a few smartphones.