F-Secure Key is a simple and secure password manager developed by anti-virus security experts, F-Secure.
As our lives move increasingly towards the internet and smart devices it is now more important than ever to keep our data as secure as possible. Naturally, over time, collecting tens or even hundreds of unique passwords soon becomes an impossibility to manage for most people, this is where a password manager such as F-Secure Key becomes essential! Once configured and in-use only a single secure password needs to be remembered by the user.
In addition to the basic password manager functionality F-Secure Key also offers additional functionality including browser extensions, smartphone apps, Windows / Mac desktop apps and a premium subscription which allows all devices to be kept in sync via F-Secure’s secure server network.
At first things are looking very promising, so time to get into the review of F-Secure Key!
- Well designed, convenient and easy to use
- Plugins available for Chrome and Firefox
- Applications for Windows and Mac
- iOS and Android apps
- Cloud synchronisation between all devices (premium)
- Supports 2FA (proprietary system)
- Automatic password generator
- Automatic website logins
- Breach alerting service
- Very secure, all encryption performed locally
- No F-Secure account needed (very privacy focused)
- Free to use without multi-device synchronisation (i.e. locally)
F-Secure Key Usability
Installing F-Secure Key:
Key can be installed on multiple platforms including Windows desktop PCs, Macs, smartphones (iOS and Android) in addition to browser extensions for Chrome and Firefox. To start with I will look at installing the Windows desktop app which can be downloaded for free via the F-Secure website.
Once downloaded and set running the installer will have the Key desktop application installed with just a few clicks, a really quick and stress-free experience overall. once the install process has completed the app will open up onto a screen asking us to create a new password vault or synchronise to an existing one (for premium subscribers only).
Creating a new password vault will create a new, strongly encrypted password storage container on the local device in use. Whilst using the free version of the product nothing will be synchronised back to F-Secure at all, although this is available with the premium subscription which I will address a little later on.
Once the password vault has been created we can now login and use the F-Secure Key application, one of the first things the application will prompt us to do next is to create a recovery code. This recovery code is especially important as there is absolutely no way for F-Secure themselves to recover the master password for the vault, this means if you forget you password then possession of the recovery key is the only way back in.
After the desktop application is installed one of two browser extensions are available (Firefox and Chrome). To start with I will have a look at the Firefox extension
The plugin can be installed from the Mozilla add-on centre as with any other Firefox add-on, once installed it is important to note that the desktop application must be installed, unlocked and the ‘autofill passwords’ setting enabled (see below). There is also an authorization code which is generated just below this autofill setting which must be copied into the plugin when prompted for it at the first opening off the plugin.
Without this configuration described above the browser plugin will not function, this might seem a little long winded but it is essentially a (proprietary) form of multi-facto authentication which means the device and password must already be authorised before the plugin will have access to the vault!
Finally, access to the vault can also be made via smartphone apps which are available for both iOS and Android, remember to have the smartphone apps automatically synchronised requires a premium subscription (else it will operate as an independent password vault).
Types of Data Stored
One main reason for using a password manager is to store passwords to websites, this is, of course, a key part of the F-Secure Key app meaning multiple website logins can be saved. The website address, username, password and any specific user notes can also be saved under each individual login.
It is also possible to store entries as “Credit cards”, this means any card or payment method can be saved securely for future use. It is called a “credit card” but thanks to the notes section it could feasibly be used to store any kind of secure message which might not be treated as a traditional login (an SSH key, for example).
It is important to note that F-Secure have (at time of writing) made no facility to provide any form of secure file storage in either the free version nor an activated version with a premium subscription. Since many other market leading password managers including LastPass and 1Password do have this in their premium versions I feel F-Secure are lacking slightly in this category!
Adding a New Site
Adding new logins to Key is generally speaking quick and straightforward, although it must be said not quite as automatic as some other password managers.
New logins can be added directly via the desktop application or the smartphone apps but not the browser extension itself! This means (unlike LastPass, 1Password etc.) when you sign into a website for he first time the browser extension will not recognise this login and will not automatically add the account to the password manager for you. This is a little disappointing given I have become so use to this from LastPass over the years and an area I hope F-Secure will address.
Can F-Secure Key Generate Passwords
Yes, whilst adding a new login to the F-Secure Key desktop or smartphone apps there is an option to generate a strong and unique password automatically. This functionality is very useful given that such passwords are widely recognised as best practice when trying to keep logins as secure as possible.
Having a unique password is also useful in the event that said password is ever compromised and exposed to the world along with your login details (e.g. email address). In such circumstances only a single website will be affected due to the password being unique. In such cases it is fairly easy to then change the affected password for the site in question knowing that all other sites are still 100% safe thanks to them having different passwords (even if the login email is the same).
Imagine if your username and password (as per above) had been leaked and it turned out the username (email) and password were used regularly use across many different websites! In this case it would take much longer to change them all (you might even miss some) and it is much more likely that one or more accounts would be compromised, not a good situation!
Signing in to Websites and Apps
Signing into websites will be one of the most common tasks asked of a password manager. With this in mind any password manager which incorporates a web browser plugin which can automatically fill out login forms is at a big advantage versus those which don’t (yes, some still don’t have browser plugins!).
Thankfully, Key does have a good web browser plugin available for both Firefox and Chrome, this means once a familiar website is visited the plugin will create a drop-down box offering to fill in the login form automatically. It should, however, be pointed out that the browser plugin (as tested in Firefox) did not offer to save any new logins via the web browser and these must instead be added in via the desktop app. Whilst not a big issue (given account creation is relatively infrequent) it is an example of missing functionality otherwise found in competitors including LastPass and 1Password.
With the desktop app aside F-Secure have also produced smartphone apps for both iOS and Android which allow autofill logins to be made into various mobile apps. The autofill service is also compatible with the Android autofill service meaning set-up and use of this functionality is quick and easy to get going with.
Again, remember that without a premium subscription the app and desktop vaults will operate as two individual vaults and will not synchronise automatically.
How Secure and Reliable is Key
All data stored within F-Secure Key is encrypted locally using 256bit AES encryption, this is based around a master password principal of which only the account holder knows the passphrase. Should you forget the password F-Secure will have no way of recovering the password vault!
In addition to the master password system F-Secure Key will (optionally) allows users to create a recovery phrase, this is actually a QR code and can be used to re-access the account in the event the aster password is ever forgotten.
It is also very important to point out that you do not need an F-Secure account to login and use the Key password manger, this is important as it means F-Secure are not linking any of your personal data to the application! Add this together with their “zero knowledge” of you password and it is clear F-Secure have built a product around the premise of maximising privacy and security as much as possible, excellent!
If you do want to extend the Key service there is a premium subscription service available, following on from above it is excellent to see the privacy and security features continue to run into the paid product. For example, when subscribing to the premium service no F-Secure account is needed and all that is actually purchased is a code from one of F-Secure’s authorised resellers. Once this code is entered into the app (again no login or personal details are required) the premium service will be activated and any new devices will be able to synchronise with the password vault.
Here is also a good time to mention the multi-factor authentication within F-Secure Key, a slightly unique approach to 2FA to say the least in that Key doesn’t support a mainstream system such as Google Authenticator or Authy etc. Basically, once a premium subscription is activated, any new devices can be added to the account and synchronised only when the following requirements are met:
1) The master password is entered into the new device
2) The original device (with the premium subscription activated) has generated an activation code to add the new device.
Whilst technically not 2FA it does have the same effect by virtue of the user needing both the master password AND physical access to the original device, as such this is (in my opinion, at least) a form of multi-factor authentication, but feel free to disagree with me here?
Finally, F-Secure has a built in breach warning service which will monitor any large scale data breaches which might contain you logins, this is built-in to the app itself and is a useful additional feature.
Can F-Secure Key Import Passwords
Yes, in fact F-Secure have made importing passwords straightforward with with a specialist import tool found within the application itself. Simply export your passwords from your old password manager and then select the file for upload within this the specialist import tool to take advantage of this feature and make moving from an existing password manager quick and simple.
F-Secure Key Free vs Premium
F-Secure Key is initially a 100% free to use application which requires no accounts to be created nor personal details shared etc. This makes it an ideal tool for anyone concerned about their privacy and the security of their password vault. F-Secure do, additionally, offer a premium subscription service which will extend the functionality of Key and allow multiple devices to be synchronised automatically via the F-Secure network.
With the automatic synchronisation aside the premium subscription offers no additional features, this means if you do want to test F-Secure Key out or simply require a free password manager for local (non-networked) use then this is an ideal place to start!
F-Secure Key Security
F-Secure Key uses AES-256 bit encryption to ensure all user data is securely encrypted, this happens locally on the device before any synchronization activity might take place (synchronisation is only available in the Premium version).
In addition to this strong encryption it is clear that F-Secure take security seriously by means of a clever multi-factor authentication system which has been implemented and the lack of any requirement to register an F-Secure account in order to use the service. Add onto this that the master password is unrecoverable by F-Secure and the premium subscription is handled via a 3rd party reseller meaning (in theory at least) F-Secure have effectively zero knowledge of their customers or the data they are securing. An excellent approach to providing maximum security and user privacy!
F-Secure have a very comprehensive knowledge base on their website which is backed up by a strong community support forum staffed by experts, this makes getting answers to minor issues relatively quick and easy.
Should you require further support F-Secure additionally provide limited hours phone support.
F-Secure Key Pricing
Use of F-Secure Key on a single device is completely free, a Key Premium subscription is priced at £21.99 per year and will cover an unlimited number of personal devices. A 2 year subscription is also available for £36.99 in addition to a monthly option of £2.49 available via the Google Play store.
F-Secure Key Review Summary
F-Secure clearly take security and user privacy very seriously and this is very well reflected in the Key password manager. The lack of needing to sign-up for an account to use the product and any premium subscriptions being made via an official reseller mean F-Secure have (effectively) zero knowledge of their users and their data.
With privacy and security aside the apps all seemed to function well during my testing and everything worked as it should. Unfortunately, however, I do feel some functionality might be missing such as the inability of the browser plugins to capture account creation (like many other alternatives do) and the lack of a formal multi-factor authentication option such as Google Authenticator etc.
Pricing for the premium option is reasonable at £21.99 per year but this doesn’t include any secure cloud storage and (from what I can see) doesn’t add any new features to the app, a premium subscription simply enables secure synchronisation between multiple devices.
Overall this is a solid tool which is ideal for those who take security and data privacy seriously, with just a little bit of extra development (as per the missing features above) F-Secure could really turn this tool into a market leader, a great effort F-Secure!