F-Secure Key Review

Installing F-Secure Key:

Key can be installed on multiple platforms including Windows desktop PCs, Macs, smartphones (iOS and Android) in addition to browser extensions for Chrome and Firefox. To start with I will look at installing the Windows desktop app which can be downloaded for free via the F-Secure website.

Once downloaded and set running the installer will have the Key desktop application installed with just a few clicks, a really quick and stress-free experience overall. once the install process has completed the app will open up onto a screen asking us to create a new password vault or synchronise to an existing one (for premium subscribers only).

Creating a new password vault will create a new, strongly encrypted password storage container on the local device in use. Whilst using the free version of the product nothing will be synchronised back to F-Secure at all, although this is available with the premium subscription which I will address a little later on.

Once the password vault has been created we can now login and use the F-Secure Key application, one of the first things the application will prompt us to do next is to create a recovery code. This recovery code is especially important as there is absolutely no way for F-Secure themselves to recover the master password for the vault, this means if you forget you password then possession of the recovery key is the only way back in.

After the desktop application is installed one of two browser extensions are available (Firefox and Chrome). To start with I will have a look at the Firefox extension

The plugin can be installed from the Mozilla add-on centre as with any other Firefox add-on, once installed it is important to note that the desktop application must be installed, unlocked and the ‘autofill passwords’ setting enabled (see below). There is also an authorization code which is generated just below this autofill setting which must be copied into the plugin when prompted for it at the first opening off the plugin.

Without this configuration described above the browser plugin will not function, this might seem a little long winded but it is essentially a (proprietary) form of multi-facto authentication which means the device and password must already be authorised before the plugin will have access to the vault!

Finally, access to the vault can also be made via smartphone apps which are available for both iOS and Android, remember to have the smartphone apps automatically synchronised requires a premium subscription (else it will operate as an independent password vault).

Types of Data Stored

One main reason for using a password manager is to store passwords to websites, this is, of course, a key part of the F-Secure Key app meaning multiple website logins can be saved. The website address, username, password and any specific user notes can also be saved under each individual login.

It is also possible to store entries as “Credit cards”, this means any card or payment method can be saved securely for future use. It is called a “credit card” but thanks to the notes section it could feasibly be used to store any kind of secure message which might not be treated as a traditional login (an SSH key, for example).

It is important to note that F-Secure have (at time of writing) made no facility to provide any form of secure file storage in either the free version nor an activated version with a premium subscription. Since many other market leading password managers including LastPass and 1Password do have this in their premium versions I feel F-Secure are lacking slightly in this category!

Adding a New Site

Adding new logins to Key is generally speaking quick and straightforward, although it must be said not quite as automatic as some other password managers.

New logins can be added directly via the desktop application or the smartphone apps but not the browser extension itself! This means (unlike LastPass, 1Password etc.) when you sign into a website for he first time the browser extension will not recognise this login and will not automatically add the account to the password manager for you. This is a little disappointing given I have become so use to this from LastPass over the years and an area I hope F-Secure will address.

Can F-Secure Key Generate Passwords

Yes, whilst adding a new login to the F-Secure Key desktop or smartphone apps there is an option to generate a strong and unique password automatically. This functionality is very useful given that such passwords are widely recognised as best practice when trying to keep logins as secure as possible.

Having a unique password is also useful in the event that said password is ever compromised and exposed to the world along with your login details (e.g. email address). In such circumstances only a single website will be affected due to the password being unique. In such cases it is fairly easy to then change the affected password for the site in question knowing that all other sites are still 100% safe thanks to them having different passwords (even if the login email is the same).

Imagine if your username and password (as per above) had been leaked and it turned out the username (email) and password were used regularly use across many different websites! In this case it would take much longer to change them all (you might even miss some) and it is much more likely that one or more accounts would be compromised, not a good situation!

Signing in to Websites and Apps

Signing into websites will be one of the most common tasks asked of a password manager. With this in mind any password manager which incorporates a web browser plugin which can automatically fill out login forms is at a big advantage versus those which don’t (yes, some still don’t have browser plugins!).

Thankfully, Key does have a good web browser plugin available for both Firefox and Chrome, this means once a familiar website is visited the plugin will create a drop-down box offering to fill in the login form automatically. It should, however, be pointed out that the browser plugin (as tested in Firefox) did not offer to save any new logins via the web browser and these must instead be added in via the desktop app. Whilst not a big issue (given account creation is relatively infrequent) it is an example of missing functionality otherwise found in competitors including LastPass and 1Password.

With the desktop app aside F-Secure have also produced smartphone apps for both iOS and Android which allow autofill logins to be made into various mobile apps. The autofill service is also compatible with the Android autofill service meaning set-up and use of this functionality is quick and easy to get going with.

Again, remember that without a premium subscription the app and desktop vaults will operate as two individual vaults and will not synchronise automatically.

How Secure and Reliable is Key

All data stored within F-Secure Key is encrypted locally using 256bit AES encryption, this is based around a master password principal of which only the account holder knows the passphrase. Should you forget the password F-Secure will have no way of recovering the password vault!

In addition to the master password system F-Secure Key will (optionally) allows users to create a recovery phrase, this is actually a QR code and can be used to re-access the account in the event the aster password is ever forgotten.

It is also very important to point out that you do not need an F-Secure account to login and use the Key password manger, this is important as it means F-Secure are not linking any of your personal data to the application! Add this together with their “zero knowledge” of you password and it is clear F-Secure have built a product around the premise of maximising privacy and security as much as possible, excellent!

If you do want to extend the Key service there is a premium subscription service available, following on from above it is excellent to see the privacy and security features continue to run into the paid product. For example, when subscribing to the premium service no F-Secure account is needed and all that is actually purchased is a code from one of F-Secure’s authorised resellers. Once this code is entered into the app (again no login or personal details are required) the premium service will be activated and any new devices will be able to synchronise with the password vault.

Here is also a good time to mention the multi-factor authentication within F-Secure Key, a slightly unique approach to 2FA to say the least in that Key doesn’t support a mainstream system such as Google Authenticator or Authy etc. Basically, once a premium subscription is activated, any new devices can be added to the account and synchronised only when the following requirements are met:

1) The master password is entered into the new device

2) The original device (with the premium subscription activated) has generated an activation code to add the new device.

Whilst technically not 2FA it does have the same effect by virtue of the user needing both the master password AND physical access to the original device, as such this is (in my opinion, at least) a form of multi-factor authentication, but feel free to disagree with me here?

Finally, F-Secure has a built in breach warning service which will monitor any large scale data breaches which might contain you logins, this is built-in to the app itself and is a useful additional feature.

Can F-Secure Key Import Passwords

Yes, in fact F-Secure have made importing passwords straightforward with with a specialist import tool found within the application itself. Simply export your passwords from your old password manager and then select the file for upload within this the specialist import tool to take advantage of this feature and make moving from an existing password manager quick and simple.

F-Secure Key Free vs Premium

F-Secure Key is initially a 100% free to use application which requires no accounts to be created nor personal details shared etc. This makes it an ideal tool for anyone concerned about their privacy and the security of their password vault. F-Secure do, additionally, offer a premium subscription service which will extend the functionality of Key and allow multiple devices to be synchronised automatically via the F-Secure network.

With the automatic synchronisation aside the premium subscription offers no additional features, this means if you do want to test F-Secure Key out or simply require a free password manager for local (non-networked) use then this is an ideal place to start!