Introduction of: The world first passwordless password manager using physical FIDO2 key


Password is so outdated but it is the most popularly used method of authentication. Trusting users to create passwords for different services has proved to be one of the weakest links in the process. The users, meanwhile, have universally rated the experience as negative. For enterprises having to deal with password breaches, users inadvertently use common passwords and passwords leak through social engineering; cost has been compounding.

The obvious solution is to automate the password creation process so a strong password with long string of alphabets, numbers and special characters can be created on-demand. The software should remember passwords for users too, since the remembering part is equally as hard as coming up with new unique passwords. Thus, from what we have just described, born the password manager. In reality, a password manager often come with a single login page, once you enter the master password, you can start using the service. Password managers often come with other nice-to-have features like auto-fill account and password fields on website; quick search, edit and save previously saved credentials.

This solution is of course not without fault. At the core of a typical Password Manager, is a master password must be created by users and presented every time users want to use the service. This created a worst-case scenario where someone steal their master password and every password stored inside the password manager. In a less severe case, software fault associated with the Password Manager introduces a new vulnerable link into the mix. High profile recent hacks have highlighted that those vulnerabilities are not just theoretical

  • In 2015, LastPass faced an attack that exposed email addresses and security information of users.
  • In 2016, plenty of security vulnerabilities were reported by white-hat hackers and security experts. Among the affected password managers were LastPass, Dashlane, 1Password, and Keeper. In most cases, the attacker would still have to use phishing to trick the user into revealing some data.
  • In 2017, OneLogin was attacked and customer data was leaked, user data stored in their US data centers was affected and vulnerability in the Keeper browser plugin was exposed, this vulnerability allowed hackers to steal any password from the vault.
  • In 2019, serious vulnerabilities were found in the code of Dashlane, LastPass, 1Password, and KeePass. This applied to Windows 10 users and only if the right malware was installed.

Some Password Managers add a second factor like OTP or biometrics to identify the legitimate users before letting them use the service. OTP has been demonstrated to be susceptible to interception by a third party through phishing and social engineering. Biometric passwords came with its own weakness: They are finite and you can’t change them – for examples, you only have a set of 2 eyes. You can’t replace them once its biometric has been replicated. There is no mitigation for this. That’s not to say they shouldn’t be used, but the risks should be understood.

At VinCSS, our tactic to solve above problems is: first, to eliminate 2nd factor OTP (which is highly user-unfriendly) and second, limit the master password exposure both in computer memory and through user interaction. We have built a password manager called VinCSS FIDO2 KeyVault to implement this tactic using FIDO2 HMAC Secret Extension. Imagine your FIDO2 key as a special vault for storing secret maps to treasure. If you failed to authenticated with the FIDO2 key, obviously you will not be able to retrieve any map. However, even if you successfully open the vault, there are infinite maps inside. Only when you communicate the correct ID number of the map to the key, through the legitimate channel, the vault would give you the correct map.  HMAC-Secret operates on the same principle, once you authenticated the FIDO2 key, sending a specific 256 bits to it will get you back a secret string of 256 bits. Building on this principle, VinCSS FIDO2 KeyVault “eliminates” master password from day-to-day user interactions, thus getting rid of associated risks from phishing, social engineering to self-leak master password or hackers collecting master passwords through malwares.

It’s time to take a look at how easy it is to use it! 

When open VinCSS FIDO2 KeyVault for the first time - or if you decide to create another Vault; all you have to do is enter the name of your Vault, and add at least one FIDO2 key.

The opening process is equally easy. You click the open icon to initialize the process, choose your registered FIDO2 key to login:

It is that simpleFurthermore, VinCSS FIDO2 KeyVault has hardening mechanism to protect your root secret and thus your Vault. First, the root secret is kept very briefly in memory - only the moment of open the Vault. Second, the function used for key derivation is a private instance method, which have elevated memory protection. These precautions make it very difficult to exact the root key, unless the attacker have full control over your computer including the timing of you authenticate the FIDO2 key.

In case the attackers managed to dump the memory of VinCSS FIDO2 KeyVault. High Security password is still protected as it need high security key to decrypt. This because the key can only be derived using your FIDO2 key and safe even if the opening password was cracked.

Conclusion: Here we are proud to present VinCSS FIDO2 KeyVault, a product we believe to be the first password manager to support logging in solely using FIDO2 key, to demonstrate FIDO2’s capability to better protect and shield the attacking surface of root key, making password manager more secure. Requiring physical or soft FIDO2 keys with biometrics to login, we increase the security since hackers not only have to take over the master password instead, they have to take over the FIDO2 key and authenticate with said key by user’s fingerprint.

For users, instead of having to remember the master password (which hilariously should be the problem a password manager should solve) they only need to touch/scan the fingerprint to authenticate with a FIDO2 key to login, all while having a better experience. The next question about the popularity of FIDO2 will be answered by Google and Apple in a near future, by their strong commitment recently on turning Android and iOS phones into FIDO2 keys!

The final goal is to completely eliminate password and OTP from the authentication equation.  However, this process will take time so why don’t we focus for the time being on making password and password manager more secure in this transition period?!

VinCSS, a startup in strong passwordless authentication from Vietnam, wish to work with any password manager vendor and partner, including researchers and software vendors to further apply this technology to general products and services. We want to thank FIDO Alliance and all of its members for tireless effort onward a passwordless future for billions of people all around the world.

Author: VinCSS R&D Center

VinCSS FIDO2 KeyVault support Windows and MacOS

Requirement: Any FIDO2 compliant security key.

Modes: A password entry can be either of:

·     Normal mode: You can view and edit after logging in KeyVault

·    HighSecurity mode: You need to reauthenticate with your FIDO2 key to view and edit.

Multikey support: Yes

Download: It can be download from here (

For any further inquiry, please contact sale information:

No comments:

Post a Comment