cancel
Showing results for 
Search instead for 
Did you mean: 

Web based service as alternative method for KEY

0 Likes

Web based service as alternative method for KEY

Dear Santa and KEY Developers,

 

Would it be possible to have a web based service as an alternative method to access passwords conveniently from the browser? I'd see it handy to have an access to the passwords without installing the software or having a phone nearby, for example when using a public computer. I am a pure Linux user and since KEY supports everything except Linux I'd be glad to use it seamlessly and more powerfully through a web interface.

 

Merry Christmas folks!

 

Best Regards,

Teemu Ikonen

3 Comments
Advocate

Until someone from F-Secure answers, here's some information on F-Secure's guiding design principle for Key:

 

  • F-Secure don't need to know who you are
  • All Key users are fully anonymous
  • All data is stored locally
  • Users are not tracked in any way, even when you synchronize your data across devices

 

A web service won't match those requirements, but that's just my personal opinion.

F-Secure Employee

Hi,

 

NikK is absolutely correct. Doing a web based portal type of access (as many other products do) to your password has some fundamental weaknesses. This is why your data can be only accessed via your own devices in coordinated way. And also reason why we don't offer web based access.

 

It is not simple matter, therefore easily missed if not thought through carefully. HushMail and CryptoCat are couple of services that act as case examples where web browser based encryption system fails. Patric Ball had a good article about this in Wired:

http://www.wired.com/threatlevel/2012/08/wired_opinion_patrick_ball/all/

 

TL;DR... Quote:

"Any host-based system that delivers the encryption engine to you each time you log in, and in which your keys reside on the server, you are never secure against the host."

 

By design; Our client doesn't trust the servers it communicates with. Also the encryption engine is only delivered via the application installers. Combining these make additional layer of security in Key application for cases where your network connections or the service itself could be compromised. In web browser you cannot achieve this.

 

-Juha

 

 

F-Secure
Status changed to: Discarded
Hey Teemu, thanks for submitting your idea, and participating in our Community! As per Juha's response, it seems that we will not be implementing this idea, as it does not meet with our security standards - so, I am changing the status to "discarded." Please keep the ideas coming! // Chrissy