General security

1U Password Manager Review

September 7, 2018 by Infosec

Take a moment and think about how many different passwords you use. Most of us have Google, Facebook, and Twitter accounts. Hopefully, your user accounts on both your home and work PCs are password protected. It’s probable that you use your Google, Facebook, and Twitter accounts to authenticate with many other websites, via OAuth. It’s possible you have WordPress, LinkedIn, and Tumblr accounts. You may also have passwords for applications you use at work, and passwords for online games, and gaming services such as Steam, Playstation Network, and Xbox Live. If the internet is as big part of a part of your life as it is in mine, you probably have at least a dozen.

For optimal security, passwords should be as long as possible. They should also contain a combination of upper and lower case letters, numbers, and special characters. Avoid using real words, in any language. A dictionary cracker can have dictionaries with millions of words. There are also dictionaries that use l3tt3r numb3r substitution, just like so. Rainbow table vand brute force crackers also crack simpler passwords more easily. So, passwords like gardenia_flowers and ims0smart should be avoided, and passwords like 4)bn@_&6HbW! and cV73*&Z75!cY are a lot more secure.

The problem is the human element. More complex passwords are tougher to crack, but a lot more difficult to remember. Plus, each entity you authenticate with should have a unique password. That way, if one account for one service is cracked, your others are still protected. Also, you should periodically change your passwords, such as once every three or six months. That’s where I’m weak. Even though I’m an information security professional, I’m still a human being who manually authenticates into my various online accounts. So, I do have complex passwords, but I was cycling through the same three for everything.

But now that I’ve given 1U’s password manager a try, I’ve broken out of my poor password habits.

There have been password managers available for mobile devices for years, such as LastPass and 1Password. But I was reluctant to use them, because they protect your accounts with one master password. I assume they lockout after five or so failed authentication attempts, which mitigates against brute force password crackers. But still, if your one master password gets cracked, it’d give all of your other passwords to an attacker. That one point of vulnerability made me nervous, especially since I’ve had practice using crackers like RainbowCrack and Brutus.

What’s different about 1U’s brand new password manager app is that it uses biometrics instead of a master password. Facial recognition is the primary means, but fingerprint scanning can be implemented in addition, for website logins where you’d like extra protection.

1U is now available for iOS and Android. To use the iOS version of the app, you need an iPhone 5 series or iPhone 6 series device. For proper functionality for the Android version, you need at least Android 4.2, with at least a dual core processor, and for obvious reasons, at least a 2 megapixel front camera. I tested 1U on my LG Nexus 4, running Android 4.4.4.

1U is developed by Hoyos Labs, which operates out of MIT. It uses BOPS, the Biometric Open Protocol Standard. The app also uses 571-bit Ellipic Curve Cryptography (ECC) cipher.

It was pretty easy to install 1U on my phone.

Once you’ve reviewed the app’s permissions, enter your phone’s number to receive a verification SMS message. Once you enter the six digit number in your message, the biometric enrollment process begins, which is a face scan.

As the app warns you, it’s best to be indoors with daytime lighting coming through your windows. I live in an apartment that doesn’t always have great lighting, and like many apartments, only one side has windows. The windows in my apartment face west, so natural light in my home is better in the afternoon. That was a bit tricky for me. In the screenshot above, I was facing a light fixture on my wall, which is incandescent. Flash lighting in smartphones these days is for the rear camera only, so be careful.

But, you may be wondering, what if an attacker who acquires physical access to your phone has a printed photo of you? That’s where 1U’s Liveness technology comes in. You can set Liveness to one of four levels. I left Liveness at Level 1, which requires one facial gesture. The other three levels require more gestures and prompts. Pertaining to 1U’s face scanning function, a gesture is a facial expression. Don’t bother making peace signs at the camera, because the algorithms are for facial features only. I briefly tested the feature using Level Two, which requires two gestures. When I had good lighting, the feature was able to record a wink, and then a raised eyebrow as two gestures. I then set Liveness off, because as annoying as having to get good lighting is, having to make funny faces is even more so. If you’re unsure as to whether your facial expression will be read properly, here’s what I recommend. Both Google+ and Facebook use very similar technology for tagging people in photos. If your face gets automatically tagged when you upload a photo, try doing so with a photo of you making a particular facial expression. If Google+ or Facebook recognizes that it’s you in that photo flashing that dorky grin, you can almost certainly have 1U recognize it as a gesture. Give it a try!

Once you’ve registered your face, you can then start linking 1U with your website and web service logins. 1U works with over 15,000 websites so far, so chances are that all of your web logins are covered. Of course, you will need to authenticate for each one with your username and password for each login.

To surf the web with an added layer of security, a version (“1U Secure Browser”) of the Chrome web browser is integrated into the app. I don’t know if the same kind of feature exists for the iOS version with Safari. Other than opening the browser inside of 1U once and loading Google Search as the home page, I didn’t really test it much.

A nice 1U feature is the ability to back it up with Dropbox or Google Drive. I assume Dropbox and iCloud are the options with the iOS version, but obviously I tested it in Android. I was able to successfully back everything up with Google Drive without any problems. On 1U’s end, everything’s driven by AWS servers, including their own backups of your 1U configuration.

1U also makes it possible to integrate your account with other compatible iOS and Android devices you may have, and in Chrome, Safari, and Firefox in Windows 7 and 8, and Mac OS X 10.7 and later. I only tested 1U on my Nexus 4 device. It’d be nice if Hoyos Labs adds GNU/Linux compatibility in future updates, as I use Kubuntu and Arch on my desktop and laptop.

So, how secure is 1U? Well, we already know that it uses secure encryption and biometrics. As the system is driven by AWS servers, a lot depends on security from the Amazon server end as well. I used Google Drive for my own backup, so I hope they know what they’re doing in Mountain View. I feel uneasy about Dropbox after that account security incident they had recently. Plus, iCloud vulnerabilities were exploited in the celebrity photo scandal. Consider how secure Google, Apple, Amazon, and Dropbox’s systems are if you use 1U. For that reason, I recommend that if you do backup 1U for yourself, that you choose only one service to do so.

I don’t have a twin sister. If you have an identical twin or identical triplets, you’d better trust them if they ever have physical access to your phone! If you add fingerprint security to any of your logins, do twin siblings have identical fingerprints?

As I mentioned, I had some problems with the lighting that 1U’s face scanning requires. After five failed attempts, an activation email must be authenticated, and then you need to enter a new six digit code that you receive in an SMS message. That should prevent brute forcing with your face, which actually sounds quite painful. I registered my account with my editior’s email address. Thankfully, he was patient enough to reset it for me a few times. Now I’m going to change my registration email address to my own so there’s less of a hassle. Either way, in the evening I’ve been able to successfully face scan when I have a light fixture directly facing me. Obviously, if you get plastic surgery, you’re going to need a new face scan to be set.

You can download 1U for free and activate a free-trial to unlimited websites, on unlimited devices and unlimited computers for 30 days. After your free-trial expires, you can continue experiencing the benefits of 1U Unlimited, by purchasing a package.  1U will offer a 1 Year Package for $49.99 or you can purchase a 2 Year Package for $79.99, which includes unlimited websites, mobile devices and computers.

If you decide that you’re okay with trusting AWS and Hoyos Labs with all of your web service credentials, 1U may be right for you. Just keep in mind that you may need direct natural lighting while you’re indoors for face scanning to work properly.

See for more details.

Posted: September 7, 2018
View Profile

Infosec’s mission is to put people at the center of cybersecurity. We help IT and security professionals advance their careers with skills development and certifications while empowering all employees with security awareness and phishing training to stay cyber safe at work and home. More than 70% of the Fortune 500 have relied on Infosec Skills to develop their security talent, and more than 5 million learners worldwide are more cyber-resilient from Infosec IQ’s security awareness training.