Password Managers vs heylogin

Passwordless Login Experience

For a passwordless login experience, until now companies could only connect their SaaS solutions with a Single Sign-On (SSO) service, such as Okta or Duo. This more than doubles the required software budget, well documented at sso.tax. Even if the budget is available, many websites do not support SSO functionality. For social media, government agencies, shopping portals and similar sites, only password managers remain as a solution. Solutions, like 1Password, LastPass and Dashlane require users to come up with a particularly complex master password that needs to be typed in regularly.

heylogin solves this problem. Although we are technically a password manager, we offer the login experience of a modern single sign-on.

Swipe-to-Login replaces Master-Password

Legacy password managers require users to remember and regularly enter a Master Password. A Master Password must be complex and kept private, as it is the single secret to all information. This allows attackers to guess the user's password by trying a lot of variations, called an offline brute force attack. To protect against these attacks, a second factor is required. Legacy password managers only provide these as an optional feature, which is rarely activated since it makes their usage inconvenient.

With heylogin, a Master Password is no longer necessary. Instead, we use the secure element present in modern smartphones to provide our "Swipe to Login". Secure elements are security chips that protect secrets against unauthorized access and brute force attacks. This makes heylogin two-factor secure by design because logins are protected by the smartphone (1. factor: posession) and the security mechanism on the smartphone itself (2. factor: PIN/bioemtric). heylogin is not just more secure, it's also easier to use.

Comparison of login solutions

Central access management
Instant synchronisation
2-factor security
Password sharing in teams
Works with all websites
Confirm with your phone
Protected with security chip
Passwordless: no Master Password
Hosting & Development in Germany
Monthly costs for 70 user
System solution
1
3
Vendor lock-in
Single Sign-On (SSO)
5
~6 € · 70 user
+ Costs of web services · ~200% · 70 user
Cost increase of all web services due to enterprise upgrades. More details on www.sso.tax
Password Manager
2
4
~6 € · 70 user
420,00 €
~5 € · 70 user
350,00 €
Central access management
Instant synchronisation
2-factor security
Password sharing in teams
Works with all websites
Confirm with your phone
Protected with security chip
Passwordless: no Master Password
Hosting & Development in Germany
Monthly costs
~5 € · 70 user
350,00 €
Password Manager
2
4
~6 € · 70 user
420,00 €
SSO Solution
5
~6 € · 70 user
+ Costs of web services · ~200% · 70 user
Cost increase of all web services due to enterprise upgradesMore details on www.sso.tax
System solution
1
3
Vendor lock-in
1) System solutions are primarily designed for individual users and not for user management in companies.
2) Dashlane and LastPass only synchronize with a delay or when updating via button. KeePass must be synchronized manually.
3) 2-factor security in system solutions is either not available or only works if smartphones of the provider are also used.
4) Conventional password managers are only protected with a master password (knowledge) by default. Factors of possession and biometrics are optional and result in a degraded user experience.
5) SSO solutions are only passwordless when properly configured or when using modern solutions (e.g. Hypr).
*All prices plus VAT

Comparison of the safety architectures

Highly simplified representation of the LastPass architecture

LastPass security

The master password is the one factor in LastPass that is actually used for end-to-end encryption. It is important to note that the master password is chosen by the user. This means that it is not perfectly random, but patterns are created by the human mindset.

Key Stretching

From this master password, a key is derived by key stretching, which is used for the end-to-end encryption of the vault. In the case of LastPass, PBKDF2 is used with 100,100 iterations. This encrypted vault is then synchronised with the cloud.

2-Factor Authentication (2FA)

2FA mechanisms, which can be optionally set in LastPass, are an additional protection when accessing the cloud infrastructure. 2FA is not part of the end-to-end encryption.

From the point of view of the attacker

The LastPass attackers gained access to the cloud infrastructure and bypassed the protective mechanisms of the LastPass employees. This enabled them to steal the encrypted vaults and are now trying to decrypt them.

Why is 2FA useless?

The attackers managed to gain access to the cloud storage. They probably also had to overcome the 2FA mechanisms of the LastPass employees. Now that they were able to steal all encrypted vaults, the individually set 2FA mechanisms of the customers are useless, as the vaults can now be cracked "offline".

Offline Brute Force Attack

The attacker can try through an extremely large number of possible master passwords automatically. The only thing that slows down this attack is the key-stretching function. This is what these functions were designed for, but they have to be adapted regularly because the attackers also have better and better hardware. Unfortunately, PBKDF2 is outdated with 100,100 iterations. Currently, either 600,000 iterations are recommended (OWASP recommendation) or even better Argon2, which has been standardised by cryptologists since 2015. With a 12-digit master password chosen by the user (sic!), the average cost to the attacker is assumed to be 100 USD.

Offline brute force attacks of the attacker
Highly simplified representation of the heylogin architecture

The solution

1Password has introduced the "Secret Key" as a solution as another factor besides the master password. They recommend printing this random string because it is needed when setting up new devices and it must not be lost. Of course, this leads to a worse user experience, poorer user acceptance and an increased support workload.

No Master Password

At heylogin, we completely dispense with a master password chosen by the user. Instead, we generate the key for end-to-end encryption directly in the smartphone's security chip. This key is directly 256 bit secure, perfectly random and contains no human patterns.

2-factor secure end-to-end encryption

Security chips in smartphones must be unlocked by the user when used. This is done by fingerprint, face unlock or PIN. The number of incorrect attempts is limited, so that one cannot, for example, try through an infinite number of PINs. An attacker must therefore not only physically steal the smartphone (1st factor), but also unlock the security chip with a 2nd factor. That alone is extremely difficult and the attack does not scale, since an attacker would have to steal and crack quite a few smartphones.