So, you’ve installed a password manager and replaced all of your lame and duplicate passwords with strong, unguessable ones.
That’s a good start. Now you need to think about what protects that treasure trove of stored passwords.
A lone master password just isn’t enough. You need additional authentication factors to keep those passwords secure.
True Key by Intel Security (2017) places more emphasis on multi-factor authentication than just about any competitor, and it works across Windows, macOS, Android, and iOS.
You can install True Key and use it completely without cost, if you don’t need to store more than 15 passwords. Once you hit that limit, you must pay $19.99 per year, which isn’t bad.
Sticky Password costs $29.99 per year; Dashlane and LogMeOnce go for $39.99 per year.
At $12 per year, LastPass 4.0 Premium costs less than True Key, but not by a huge amount.
Anybody can go to the True Key website, download the app, and start using it immediately.
During the process, you do have to create a master password of at least eight characters. You’re encouraged, but not forced, to either use all character sets or create a lengthy passphrase, with spaces permitted.
Once the app is installed, it prompts you to install browser extensions for Chrome, Internet Explorer, and (new since my last review) Firefox.
An extension for Microsoft Edge is available, but it must be installed directly from the Store.
For Chrome, Firefox, and Internet Explorer, the extension communicates with the True Key app.
Edge doesn’t permit that, so the Edge extension is basically a recreation of the app itself.
True Key works hard to ease you into password management.
It starts by displaying a list of over two dozen popular websites and encouraging you to add one as a login. When you click an item, it opens that page in the browser and displays a popup explaining that all you need do is log in as usual.
Intel’s app also walks you through the process of clicking a saved item to automatically revisit the site and log in.
Once you’ve used the product a little, it suggests that you add another authentication factor.
The PC I used for testing has a webcam, so it suggested adding facial recognition.
Basic Password Management
True Key does all of the basic password management tasks you’d expect.
It captures your credentials when you log in to secure sites, plays them back if you revisit such sites, and lets you visit and log in to a site with one click.
If you’re creating a new account, it notices, and offers to generate (and save) a secure password.
By default, it creates 16-character passwords using all character types—the resulting passwords are plenty tough.
This utility doesn’t just assume that every login was a success.
If its algorithm indicates a high probability that the login worked, it saves the credentials but gives you an option to never save this site, or to skip saving it once.
But if it’s not sure, it instead asks you whether or not to save credentials.
It’s a subtle touch, and a nice one.
Most secure websites follow the same standards for the login page, which makes the job of a password manager easier.
Some, though, go wildly off-standard. LastPass and Sticky Password Premium handle weird logins by letting you enter all the data and then capture every field on the page. LogMeOnce works from a catalog of almost 4,500 known websites.
True Key handles oddball logins in its own way.
If it can’t properly capture login credentials, it sends a report to its masters at Intel for analysis.
They aim to update True Key to handle that site (both for you and for all other users) within 24 hours.
You can also import passwords stored insecurely in your browsers.
If you choose to do so, True Key clears them from the browser and turns off the browser’s password capture facility.
There’s also an option to import from LastPass or Dashlane 4. New since my last review, you can export True Key’s data in the JSON data exchange format.
There aren’t a lot of settings to worry about, but you’ll definitely want to change one of them. Like Zoho Vault, RoboForm Everywhere 7, and most other password managers, True Key logs you out after a period of inactivity.
But unlike most others, the default for this period is a full week! I strongly recommend setting it to no more than 30 minutes.
Furthermore, you should note that this is a per-device setting, not global to your account.
You can save any number of free-form color-coded secure notes.
There’s also a Wallet feature that lets you save address, credit card, driver’s license, membership, passport, and social security number data, with appropriate data fields for each type. You can create as many of these as you want, and color-code them. However, you can’t use them to fill in Web forms the way you can with LastPass, Password Boss Premium, and most for-pay password managers.
True Key sticks to the basics.
It doesn’t have the actionable password strength report or automated password changing ability you find in LastPass, Dashlane, and LogMeOnce Password Management Suite Ultimate.
The company tells me that this feature is planned for the next edition. You can’t categorize, group, or tag your saved logins.
There’s no secure sharing of passwords, or password inheritance, either.
But what it does do, True Key does well.
True Key’s real strength lies in its ability to use multiple factors for authentication. Right from the start, you can require both the master password and a trusted device.
Any attempt to log in from another device requires additional authentication.
For example, when I installed it on an Android device, it asked to verify using facial recognition.
You can add other factors on the My Factors page. Your trusted email account is automatically available for verification.
If you wish, you can enhance facial recognition so it requires you to turn your head from side to side.
That’s so that nobody can log in using a photo of your face.
And you can require authentication using a second device, typically a mobile device.
The second device receives a request for authentication, and you simply respond by swiping, much like the Keeper DNA feature in Keeper Password Manager & Digital Vault 8.
At the default Basic security level, you choose from a subset of these possibilities. You can’t deselect Trusted Device; that’s a given.
To that, you add either master password or face-based authentication.
If you raise the security level to Advanced, it adds the option to use a second device.
At this level, you must choose exactly two factors besides the trusted device.
I tried choosing all three and was baffled when it wouldn’t let me save my settings.
The security level and authentication choices are specific to the device you’re using.
If you want to always use Advanced authentication, remember to change that setting on each new device.
If you’ve gone out without your second device, or if it’s too dark for face recognition, never fear. You can choose to use a different factor, such as email verification. On iOS devices you can use Touch ID as a factor. New in this edition, fingerprint verification is available for certain Android devices, but only those whose fingerprint readers meet Intel’s criteria for accuracy.
When you use the Edge extension, you get another option for authentication, Windows Hello.
This is the same feature that lets you log into your Windows account using face recognition, fingerprint authentication, or a PIN on a trusted device. Which of these are available depends on the capabilities of your PC. My very new but low-end Windows 10 all-in-one has a lovely camera, but not lovely enough for Windows Hello to use it.
New since my last review, True Key can use a PC-installed fingerprint reader for authentication.
It also supports Intel’s RealSense camera technology, and can protect its data using Intel’s SGX (Software Guard Extensions) on CPUs that support it. (Being part of Intel pays off.)
True Key doesn’t attempt to pull in every possible authentication factor.
Dashlane, LastPass, and Keeper support Google Authenticator. Keeper, LogMeOnce, and Zoho Vault can send a one-time password via SMS. LastPass, LogMeOnce, and Sticky Password can modify a USB drive so it serves as an authentication factor.
But really, True Key’s choices for multi-factor authentication are well thought out, and work well together.
Kill the Password!
LogMeOnce lets you create your account without ever defining a master password, using a variety of other factors instead. With oneID, you can’t create a master password even if you want to; it relies strictly on authentication using a trusted device.
True Key requires a master password to get started, but you can go passwordless quite easily.
At the Basic security level, you can authenticate using your face, not a master password.
If you wisely choose Advanced, you can authenticate with face recognition and a second device.
Password managers that do rely on a master password usually offer a warning that if you forget that password, they can’t help you. (That also means they can’t be compelled to unlock your account for the NSA, which is a plus.) Intel can’t unlock your account, or tell you the master password you forgot, but as long as you’ve defined enough other factors, True Key lets you authenticate with those and thereby reset the master.
If someone else tries to reset the master password, you get an email alert, with an option to lock password recovery for a day.
Three failed tries triggers that lock automatically.
I did my desktop testing on Windows, but True Key is equally at home on a Mac. You won’t get the option to log in with Windows Hello, of course, but other than that the experience should be almost the same.
All of the same features and abilities are available in the Android and iOS apps, but laid out appropriately for the mobile form factor. New with this edition, you can configure mobile devices to use three authentication factors. On iOS, True Key installs as a Safari share-box extension, just as LastPass and Dashlane do. On Android, it offers instant login for Opera and the native browser.
You’re not likely to lose a desktop computer, but it’s awfully easy to misplace a mobile device.
If someone else gets hold of your device, the multi-factor authentication system should be able prevent them from accessing it.
To make it even tougher for a thief, you can remotely remove the device from the trusted list.
Every successful modern password manager syncs passwords across all your devices.
True Key by Intel Security goes a step further, involving those devices and your biometric data in the authentication process.
It’s easy to set up, easy to use, and attractive.
If only it also had the advanced features that grace its competitors, it would be even better.
LogMeOnce Password Management Suite Ultimate also offers many different authentication factors, but just two at a time.
It’s even more feature-packed than long-time favorite LastPass 4.0 Premium. With Dashlane 4 you get all your password management needs in a slick package that’s as attractive as True Key’s.
These three are our Editors’ Choice commercial password manager.
But if your main concern is multi-factor authentication, True Key has them all beat.