Password managers are becoming more and more of a hot topic nowadays. We live a lot of our lives online and that requires a growing number of accounts and identities; yet with multiplying security risks and hacks popping up left and right, it’s crucial to use a password manager to stay on top of your login details. Most managers fall in one of two categories: the cloud solutions like LastPass, 1Password, and Dashlane, or the local solutions with a cloud backup option like Enpass (my personal favorite) or SafeInCloud or Keepass. Myki straddles the line between the two, being neither this nor that, but having resemblances to both, plus some very unique attributes that make it intriguing… very intriguing.
The easiest way I can describe Myki is that it’s a password manager that works like WhatsApp. Kinda. Your identity resides on your phone, not in the cloud or on your computer, and it’s linked to your phone number first and foremost. When you download the app, you’re asked to sign in with your phone number, and any other subsequent installs require that same phone number to authenticate you — there’s an option to migrate to another number though. This is the first encryption barrier. The second barrier is a pincode that you set up upon the first install as well, and which can be sped-up by using fingerprint authentication instead.
Myki works on Android and iOS, and the browser extension can be installed on Chrome, Firefox, Safari, Edge, and Opera. However, your data remains on your main phone. This device acts as the master from which all others must request access. For the browser extension, this means scanning a barcode upon first install to get part of the data over (account names, URLs, usernames) and subsequently granting it password access on a login-by-login basis. For other smartphones (multiple device support is in beta now), this means also scanning a barcode and then trusting a new device to have access to the original’s data, syncing between the two, but still treating the first as the master.
There’s no cloud storage anywhere, your data is locally saved, your backups are locally saved too, and the only things being transmitted over the ether are the little end-to-end encrypted packets needed to keep your data in sync and to grant/deny access to passwords.
The implications of such a strategy are difficult to comprehend, and to be frank, I’ve been using the app on and off for months and I still don’t feel very comfortable explaining how things are done in the background. Having used other password solutions in the past, I also come across some situations where I either marvel at how difficult it must be to accomplish feats without the benefit of cloud storage, and other situations where I’m frustrated because I feel like I’m jumping through hoops due to this limitation.
Setup and first use
When you first launch the Myki Android app, you’re greeted with a short onboarding that explains how the app works, then taken to a screen where you have to input your phone number. After receiving the activation code via SMS, you have to create your 6-digit pincode, which you can later bypass with your fingerprint authorization. You’re then asked to install the browser extension, though you can skip that step and work solely on your phone. (Sorry for the lack of screenshots: Like all password managers, Myki doesn’t let you take any screenshots by default, and you can’t force-enable it until you’ve fully set up the app.)
If you choose to install the extension right away, you will need to approve it by scanning an ever-changing barcode. Then you’re given the option to import logins and passwords from .csv files (which is how apps like Lastpass, 1Password, Dashlane, and others let you export your data) or from Chrome. With the latter, you can go the .csv route, but if you’d rather not bother with it, Myki will scan your passwords from chrome://settings/passwords and offer to import them. I opted for the latter, and the import process was easy, letting me choose which items I wanted to bring over and dismiss the ones that were old or unused.
Once your accounts are imported, they sync over to your Android phone, which is where they’ll primarily reside.
Your entry into the Myki app is under the protection of your fingerprint or pincode. Prepare to see this screen very often as you first start using the app, because there’s no timeout period. Anytime you switch out of Myki, even if for a brief second, you have to re-authenticate. This isn’t a bad thing per se, but it frustrated me a lot as I’m used to setting up a 1-minute timer on Enpass, so that I don’t have to keep on scanning my fingerprint when I’m jumping in and out of the app.
Passwords, 2FA, credit cards, secure notes
Once inside, the Myki app has four important sections on the bottom, but the first one is where you’ll probably spend most of your time. It’s the items section and comes with four upper tabs for passwords, 2-factor authentication, credit cards, and secure notes. Unfortunately, Myki doesn’t yet support more granular types of items, like addresses, WiFi passwords, ID cards and passports, bank accounts, licenses, and others. I’m told more flexibility is coming soon, but you’ll have to use the secure notes format to store that kind of information for now.
Passwords are sorted alphabetically by account name. The username (blurred in my screenshots) is displayed in grey below each one, to make it easy to differentiate multiple accounts on the same service. You can search through the list, which also works if you search for a tag (second screenshot below shows a search for the tag “home”), as well as multiple select items to delete or share them. We’ll get to that later.
Adding a new item offers a list of popular websites, but you can still type any account/website name you want and create it. By default, Myki will grab the website’s logo and show it as the image, even if it’s not in the default database, and color-match the upper section to it. You get a limited selection of fields to fill: account nickname, username/email, password with an auto-generate option, website, profile, tags, and additional info where you can put any notes you need to keep in mind.
Once saved, the password is hidden and you’ll have to hold to reveal it. For every item, there’s a sharing tab and a settings tab where you can set up 2-Factor Authentication (2FA).
You can add 2FA details to any account in its own view, or you can switch over to the dedicated top tab where you get a list of all your set 2FA details. The code shows up next to each one, and there’s a neat bar on top that animates from green to orange and then red to indicate when the code is about to expire.
This same color scheme can be found if you look at the 2FA box in the item’s view. It goes green, orange, and red. If you see the latter two, you better wait and grab a fresh code when it’s green again.
Credit cards are also presented in a very visual manner with the entire card on display, including the last 4-digits, owner’s name, and expiry date. Adding a card lets you input all this data, including the CVV, and additional notes.
The overall design and interface of the app are quite impressive. The black color makes for a neat contrast with the bright colors of the logos and everything is smooth. Swiping, scrolling, switching between sections, it’s all quite responsive and very well done.
Extensions and devices
Moving on to the second bottom section, this is where you’ll find your connected extensions and other Android devices (the latter is still in beta testing). Since your phone is the main device, you can disconnect any of these secondary ones from here, you can also set specific computers as trusted. That means they will automatically get approval for every login request, so you don’t have to manually keep granting them access.
Account and Inbox
The last section is where you’ll find more of your account details and other options and settings, like Android autofill, backing up/restoring items, changing the phone number associated with your Myki account, and more. There’s also a live chat section where you can directly speak to a Myki rep.
This is also where you can quickly check the permissions you’ve given to Myki and have a look at your Security Dashboard to see weak and reused passwords.
One final aspect of the app interface is the Inbox, which you get to by tapping the profile icon on the top left of the main app. You might not use it often, but this is where you can switch profiles, check a history of all the changes and actions you’ve made, and view your notifications for shared items.
The second side of the Myki coin is the browser extension. Once authorized by scanning the barcode, you’ll be greeted with a similar interface to the Android app with your passwords, cards, notes, and an extensive list of settings.
You can tap any item to view its details, but the password isn’t stored on the browser. Any time you want to view it, a request will be sent to your phone where you have to manually grant access — unless you’ve set up this particular computer as trusted, then the process will be automated.
And finally, there’s a super list of options and settings for the entire extension, which let you force a lock and/or disconnect when you exit the browser, choose how long the prompt to save new logins stays visible, automatically submit the login details after filling them up, enable the 2FA notification, and more.
There’s a lot to unpack here and I have yet to find a use case that doesn’t seem appropriately served by the settings above. It’s neat to think “I wonder if this can be customized,” then look and see there’s already an option for it. But perhaps the most important aspect for the security-conscious users here are the top options which disconnect and lock the extension when you exit the browser, and can even log you out of the sites you were already signed into.
With the way Myki is set up, it’s tough to imagine how the service could provide backups and sharing. But the options are there nonetheless — a quasi-miraculous feat if you ask me. You’ll just have to adjust the way you think about them.
Backups and restores can be performed on the phone or on a computer, but you absolutely need the phone’s approval in either case. Even if your browser is trusted, that’s not enough to perform a backup there, you’ll need to scan a barcode from your phone to grant it access. Backups create an encrypted .myki file that gets saved locally, but you won’t be able to restore it on your phone or browser unless you’re signed in with the same account (ie. with your verified phone number).
As for sharing, it’s quite easy once you remember that accounts are phone numbers here. Want to share with someone? All you need is their phone number and Myki will make sure only they receive the details you shared (data is also end-to-end encrypted there). Beyond that, it’s a straightforward affair where you can share one or multiple items, let them see the password or not, revoke access when you want, and see a whole list of the items you’ve sent in the sharing center (third bottom section). Any change you make to an item will be synced over to the other users, so you don’t have to worry about sending them the details again.
On the recipient’s side, sharing is seen as a notification they have to approve (either on the bottom menu or through the notification center). Received items show in the regular list with their passwords and credit cards and notes, but they display an icon with the initials of the sender on top of the logo. It’s a nice way to see you’ve been given access to a password, but don’t own it. Recipients can also open to see the details, but the password can’t be revealed unless you’ve approved it.
How it all works
Using Myki on your computer sometimes feels like magic, especially when you consider that none of the data is saved there or accessible via the cloud. Say you open Twitter on your browser and get to the login page. You will see a Myki owl logo next to the username and password boxes. Tapping it shows all the corresponding account(s) you can sign up with. Pick one and it transforms into a message, “Approve login request on your Android device.”
A notification pops up on your phone asking you to grant it access, which you can quickly accept or reject. If you have a Wear OS smartwatch, you can easily grant these requests from your wrist, which is something I found myself preferring. When you accept, the password is immediately sent to the browser, which autofills the data and logs you in automatically.
If you have 2FA set up for a website, Myki will grab the token and show it in a small notification on your browser. It will also autofill it for you, if you have that option enabled, so the only thing you have to do is tap “submit” and presto, you’re logged in.
The first time you try to do this, it might take you a minute to understand what’s happening, but after that, the entire process barely requires more than a second or two. If you decide to trust a certain browser, everything is also sped up because you don’t need to request/grant access every time, it’s all done in the background without your manual intervention.
The browser extension also plays a role when it detects you signing into a new site. It offers to add the account to Myki with the details pre-filled, so all you have to do is make sure everything is correct and save it.
Any change you make in the chrome extension is automatically synced and saved on the main database on your phone, and you also get a notification on your phone telling you which item was edited.
On the Android side, autofill is also supported, though Myki can’t fill out your 2FAs for you just yet — this needs to be enabled by Google with Android’s APIs. One small difference I noticed versus Enpass is that you have to tap and hold on the text field to trigger the Autofill option. With Google login and Enpass, it’s usually a single tap. But once you see the option, you just have to select “Autofill with Myki” then the account you want to log in with. It’s fast and works as expected.
Should you use it?
You should at least try it. The idea of having part of your identity tied to your phone number is scary, let alone an entire database of usernames, passwords, credit cards, and personal data. The mere thought of trusting something like this to a single file on my phone is, to be honest, terrifying. But with backups and exports available, I can rest just a little assured that things are safe in some other form.
Myki does quite well with its self-imposed local/offline restriction. Most features you would expect from a good password manager have been implemented, even ones that afford you a convenience you would only expect from a cloud solution (sharing to other users, specifically). There’s autofill on the browser and Android, integrated 2FA authentication, a password generator, a built-in audit for your old and reused passwords, backups/restores and exports, and multiple device support for Android is on the way. There are also some delightful features like the direct import from Chrome, the beautiful 2FA integration, and the option to disconnect and log out of everything automatically when you end your browser session. And then there’s Myki for teams, an aspect I haven’t touched on because it requires your organization to sign up for the service.
The best part about Myki, however, is that it’s free. There are IAPs for custom tags, account images, profiles, and fields, costing $2.99 apiece or $9.99 total, but these are very specific features that I have yet to want badly enough to pay for them.
Over the past months that I’ve dabbled in and out of Myki, the Android app has grown a lot, adding much needed features and becoming more and more usable with time. There’s still a lack of feature parity with its iOS counterpart, though — I’m told this should be reached soon. Plus, I’d like more item categories for IDs and bank accounts, better backups and restores that don’t nuke my shared items to the ground, an archive for old or unused items, and maybe the option to share a list of contacts or bookmarks (because Google and Android are silly enough to not let me do this easily).
But perhaps the one thing standing in my way of using Myki fulltime is that when it comes to password management, there’s solace in the familiar. I’ve been using Enpass for several years and I know how it works, its features, and its shortcomings. With Myki, I keep wondering, what happens if I delete the app or move to another phone without making a backup, or what if my phone number gets stolen and I can’t authenticate anymore? I’m sure there are answers to those questions — or at least they’re on the roadmap for the service — but I’m not 100% willing to give it my trust just yet, especially when there’s some obscurity regarding these issues.
So for the moment, Myki stays on my phone as a second option to password management. It’s quite tedious to keep both its database and Enpass’ up-to-date, but at least I have another option should one of them go kaput in the night.