How Myki, with its cloudless solution, plans to be the death of the password
Creating secure passwords for multiple platforms and then remembering each of them is hard. With a cloudless password manager solution, Myki wants to kill passwords.
‘Password’, ‘123456’, ‘iloveyou’, and ‘666666’ are some of the most frequently used passwords on the web. Another other common trend is using the names of pets or other common words that can be guessed by trial and error. In this digital age of rampant cybercrime, it is important to ensure we use secure alphanumeric passwords peppered with special characters that are hard to crack through brute force and guessing.
With an estimated 1,00,000 installs, Myki, with its password manager app, aims to be the Grim Reaper or death of the password. Apart from managing passwords, users can also save sensitive information such as credit cards, government IDs, and secure notes on Myki, if they wish to. Here is their story.
Story so far
In May 2017, Antoine Vincent Jebara and Priscilla Elora Sharuk took Myki Password Manager & Authenticator from stealth mode to public. Myki’s USP is that it offers the security of an offline password manager and the convenience of a cloud-connected one. The big-picture goal is to put users back in control of their sensitive data.
Myki, currently composed of a diverse 14-member team, is headquartered in Beirut, Lebanon. Having previously worked in the field of data loss prevention at Symantec, Antoine (CEO) made headlines when he led the Myki team to uncover several vulnerabilities in major identity providers, the most notable one being the Mac OSX keychain vulnerability in September 2015.
Before taking a leap into her ultimate passion — technology — with Myki, Priscilla (COO) was a landscape architect who had worked with the likes of Zaha Hadid on numerous regional projects and was most recently listed among the ‘Top 7 Female Entrepreneurs in MENA for 2017’ by Forbes.
Considering there were already a few cloud-based password managers in the market, why did Myki look to enter this space? Because, according to Priscilla, “The cloud is amazing and extremely convenient but is not designed to store everything. You should keep your sensitive data offline. This used to be very difficult to do because of the fact that you had to manually move it to any new device that you own.”
Myki’s solution to this is to help users pair their password manager app with the different computers they own. This will allow them to request a login from any device by approving a login request with a fingerprint.
Talking about what happens behind the scenes and the end-user experience, Antoine said,
“The background processes that are running are fairly complex with the peer-to-peer (P2P) encrypted connections and syncing, etc. But from a user perspective, the experience is simple and satisfying. Every time you want to login, you receive a push notification. You approve it with a fingerprint and you are in.”
How Myki works
On downloading Myki, users are given a quick walkthrough of how the app functions. Users are encouraged to install the web extension to ensure all features are enabled. I also noticed that like other password manager apps, Myki disables the user’s ability to take screenshots.
The Myki app acts as a vault that stores an encrypted copy of a user’s passwords and other sensitive data. Users can lock and unlock the vault with their fingerprint or set up a six-digit pin in case their device doesn’t have a fingerprint sensor.
Users then have the option of picking which of their social media accounts or frequently visited websites they wish to link with Myki. Users need to enter their login email ID or username and can then generate a random password in the range of four–100 characters depending on their preference (and paranoia?). Users can also select if they want the password generated to include numbers or symbols or both.
Highlights and summary of Myki’s features:
- Stores passwords offline.
- Myki auto-fills two-factor authentication tokens.
- Myki can remotely disconnect you from a computer you are paired to. Disconnecting automatically logs you out from all the accounts that Myki logged you into on that computer
- Automatic P2P encrypted connection between phone and computer. This allows users to send encrypted passwords from their phone to browser by approving a login request sent via push notification
Elaborating on the last feature, the team explained that users can pair their Myki app to any computer via the Myki browser extension. This creates an encrypted P2P link between the browser and the Myki app. When the extension notices that the user is logged out, it sends a login request to your smartphone via a push notification. Users approve the notification with their fingerprint which encrypts the password and sends it directly to the extension that decrypts it and injects it in the webpage. Priscilla explained,
Our servers act as relay servers, which means that they contain no sensitive data in case they get compromised. (Contrary to cloud-based password managers). From the user's standpoint it’s simple — every time you want to login on any device, approve the push notification you receive on your smartphone and you are in.
If users lose their phones, Myki has the option to generate a secure continuous backup of accounts on any computer that users pair their app with. Users can also create manual backups of Myki that will generate a ‘.myki' file that they can store in any location they deem secure.
Traction and revenue model
Available on Android and iOS, Myki claims to have crossed 1,00,000 installs across both platforms combined. The team believes that this validates their hypothesis that people are worried about storing their identity in the cloud and don't want the hassle of using standard offline password managers.
Myki is currently free to download and use for individual non-business (B2C) users. The startup is monetising the platform through its enterprise offering, ‘Myki For Teams’, which includes additional features like the provision to schedule password changes and set access rules. A few examples of access rules are the ability to restrict usage access based on geo-fences, IP addresses, and time.
Sector overview and future plans
According to a report by MarketsandMarkets, the password management market is expected to grow to $709.6 million in 2019. This represents an estimated compound annual growth rate (CAGR) of 17.9 percent from 2014 to 2019. North America was expected to be the biggest market on the basis of spending and adoption for the password management solutions.
Some of the popular players in this space include LastPass, 1Password, and KeePass. LastPass was acquired by LogMeIn for an estimated $110 million in October 2015. Myki believes its solution is the most secure of the lot because while KeePass stores passwords offline, it doesn’t support syncing between devices and users have to manually sync them. LastPass, on the other hand, is cloud-based and doesn’t offer two-factor authentication tokens.
Myki has raised a seed round of $1.2 million from multiple investors. Talking about their product pipeline, the Myki team added that a ‘backup with a friend' feature is in the works. This will serve as an additional failsafe and allow users to keep a secure backup of their passwords on a friend's Myki app, much like a spare key. Priscilla clarified, “The friend would not be able to access your Myki vault unless you granted them access to it.”