Can't find the answer to your question? Feel free to contact us at hello [you know it] keyn [dot] app.
Keyn is a new way to log in to websites. It consists of a mobile application and a browser extension that communicate with each other over an end-to-end encrypted channel.
Instead of typing in your username and password on a website, you log in by authorising a request on your phone. This sends your username and password to the browser, which fills it into the right forms.
Since you don’t need to remember your username and password anymore, you can just as easy use randomly generated passwords, which are long and complex. This makes using Keyn more secure as well.
Our dependency on the internet is steadily increasing, but so is the number of accounts that we have. While it would be quite convenient to use the same username and password for each of these accounts, this is not very secure.
If one of these websites gets hacked and their data leaks, evil hackers may obtain your password and use this to access to all of your other accounts that are secured with the same password. Since we have little influence on how well these websites protect your data, the one thing we can do is use strong passwords that are unique per website. But who can remember hundreds of complex passwords?
We developed Keyn, so you don’t need to think about this. By storing the passwords on your phone, you can simply login by authorizing a login request with the biometric authentication mechanisms your phone has, like a fingerprint scanner of face recognition. Since you don’t to remember the passwords anymore, you can just as easy use randomly generated passwords, which are long and complex.
The idea is that Keyn makes logging in easier, because you don’t need to think about passwords anymore, and more secure because you can use a unique and strong passwords for each website.
You should use Keyn if you agree with this ;).
After installing the Keyn browser extension, some cryptraphic keys are generated and put into a QR-code. When you scan this QR-code with the Keyn app, it uses the keys to setup a secure channel between the app and browser extension. The contents of all messages that are sent on this channel can only be decrypted by the phone and the browser extension.
When you send a message from the browser extension to the app (for a example, a login request), the server sends this to the phone as a push notification. The response is sent back by putting it on a message queue which the browser extension keeps checking for a few minutes after a request has been sent.
We call the process of connecting an app to a browser extension pairing. You can pair one app with as many browsers as you want, but a browser can only be paired with one app at the same time.
The main security advantage that Keyn offers is the change it delivers to the attack model. The target for hackers is usually the website. If a cybercriminal is able to gain access to a website, he can obtain millions of username/password combinations at the same time. These are usually hashed, which means he still does need to some cracking to actually obtain the passwords, but if the password is easy to guess or not long enough, this usually succeeds within a few days.
With Keyn, it is much easier to use long and complex passwords, because you don’t need to remember them anymore. This implies your password is much less likely to be cracked. And even if it does, the damage is less because you only used the password for that particular website.
Since Keyn only stores the passwords on your phone and not in the cloud, this means an attacker would have to hack your phone to gain access. Modern smartphones are not unhackable, but they are pretty secure and most known attacks require physical access to the device. This means that in order to obtain a list of millions of username/password combinations, an attacker now has to hack millions of phones he has physical access to, instead of one website remotely.
That said, we also want to be honest about security. We do not claim that Keyn is unhackable (you shouldn’t believe anyone who claims that anyway).
We do promise that Keyn has been designed and developed with security as one of its core values, and that we will continue to do so in the future.
We also promise to be transparant about our security and inform you if your data is or has been at risk.
If you are interested in the technical details of Keyn’s security, you can read Bas’ primer about the security of Keyn.
When you have Keyn installed, you must make a paper back-up by writing down 12 words. These words represent your unique and randomly generated seed.
All your passwords are derived from this seed using a deterministic algorithm. This sounds fancy, but it just means that you will always be able to generate your password if you have the recipe (the algorithm), the ingredients (the websites you have an account for, the usernames and number of times you changed your password. These are encrypted and stored on Keyn’s server, so you don’t need to remember them) and the secret ingredient (the seed).
If you enter the seed (the 12 words of the paper backup) on a new phone, Keyn will regenerate all your password for you.
Unlike most password managers, you don’t have a master password that you use to encrypt all your passwords. And unlike other password managers Keyn does not store your sensitive data in the cloud. Keyn offers you a secure and user-friendly solution to login on every website.
Your passwords are securely stored on your mobile phone only.
In order for the back-up to work correctly, Keyn stores the following information
- Websites users have an account for
- Times a password has been changed
Yes, of course. You can always open the Keyn app and copy the password and then paste it on the website.
On iOS 12.0 and later, you can set Keyn as a password provider. This allows iOS to retrieve passwords from Keyn after authorizing it.
Yes, you can use both TOTP-code and HOTP-codes with Keyn. For now you have to type them over like most other 2FA-apps, but in the future we will add the functionality to fill them automatically.
Currently, Keyn works for Google Chrome and Mozilla Firefox. We’re working hard on Safari and Edge plugins as well.
You can add a new account to Keyn by logging in on a website as you’d normally do. If you have the Keyn browser extension installed, it will ask you if you want to add your account to Keyn.
Just authorize the request to add the site on your phone with your fingerprint and you’re good to go!
You can also add an account manually from the browser extension menu or in the app.
Yes, you can view your credentials for every account in the Keyn app.
If you save your login data in Google Chrome, it may cause a conflict when you use Keyn, when both try to fill in your credentials. Therefore, we recommend that you disable the password auto-fill option in Google Chrome.
- Click the Chrome menu in the toolbar
- Select ‘Settings’
- Under Auto-fill, click ‘Passwords’
- Turn off ‘Auto Sign-in’
On this setting page, you can also delete already saved passwords.
Normally, the security model of iOS or Android does not allow apps to read data of one another. When a phone is jailbroken or rooted, this security measure is removed. Additionally, the device becomes more vulnerable to malware infections.
Since all your password are stored on your device with Keyn, the security of the OS is of vital importance to the security of your passwords. Use Keyn on a jailbroken or rooted device at your own risk!