OneMoreSecret is a standalone security layer for your data (e.g. passwords, TOTP tokens, files, and Bitcoin private keys). It leverages the Android Keystore system, turning your phone into a hardware security module. In other words: with OneMoreSecret, you decrypt your secrets with your phone and your fingerprint.
This is a very early version of the software. Use it at your own risk. We'll do our best to keep the message formats unchanged and guarantee the backward compatibility.
Download the latest release from GitHub or
Try our "Hello, World!" Tutorial.
👉 For every screen of the app there is a help page! See the context menu in the upper right corner.
For feature requests and bug report, please open a GitHub Issue.
You can also send me an e-mail from the app Feedback menu or use our Discord channel.
In the early days, the computers were not password protected. The first password dates back to 1961. As things got worse, password policies were born, together with the recommendation to have separate passwords for every application. This is how the password manager came into being - as a workaround for the password policy. You kind of have different passwords for every service, and still, there is only one password.
Don't get me wrong, KeePass and others have been doing a great job. But here are some concerns:
- A security software with millions of installations is very attractive to hackers.
- If you know the master password, you have access to the entire database. Not only you get a list of passwords, you also know where to log in - a typical password manager stores everything in one place. If you are extraordinary "smart", you will also store your One-Time Password configuration in your password manager, thus bypassing the very idea of the Multi-Factor Authentication.
- Even if there are some additional security measures to protect the password database (e.g. entering your password using Windows secure screen or protecting the database with the password and a key provider or a secret file), they are often not active in the default configuration of your tool.
- If you have gained access to a cloud password storage, you can collect literally millions of password databases!
My personal nightmare is a hidden code change in a password manager making it send the data to a third party. And yes, code changes to a cloud software apply for all customers the same minute they are deployed... 💣
...well, I am probably not the only one wondering if we are really better off with password managers or just storing all our credentials in one place for someone to come and collect them all at once. Maybe not today, but tomorrow...
If there is a vulnerability, there will be also an exploit for it. And it will work for a typical configuration. It is a good idea to be among those 1% with a setup, where the exploit will not work.
...and I am fed up of typing my master password 40 times a day! 🤬 If you enter your master password on multiple machines and different platforms many times per day - is it still something you call secure?
So here is the wish list I wanted to implement with OneMoreSecret:
The encryption used in OneMoreSecret is based on keys, not a password phrase. Yes, it's the old good asymmetric cryptography wrapped into a handy tool.
Every password is stored separately in its own encryption envelope. And every password is sent to the phone for decryption separately and without context. So even if someone steals a password from your phone, he will still have to figure out, what it is good for.
It's your problem choice how to store your credentials. You could use a text file, Excel, Google Sheets, Simplenote or any other software. You could also conitnue using KeePass (it has a very comfortable user interface after all ❤️) or a password manager of your choice and put your encrypted password into the password field:
If your database is stolen, the guys will still end up with encrypted passwords.
The Android Keystore system does not "hand over" the key to the app. Once the key has been imported into the storage, you cannot extract it from the phone any more.
The only way to restore your private key is the backup document together with the transport password.
...yes, I know, there is FIDO2. But hey, with OneMoreSecret, your users can share their public key with you - with just one click. Now you can generate a one-time verification code for the user, encrypt is with his key and show it as a QR sequence on your login page (omsCompanion has already all the logic written in Java).
Login from a mobile device? No problem, OneMoreSecret will respond to browser links. Just add the encrypted message (<a href="https://oms-app-intent/oms00_.....">Click here to log in from your phone</a>). You will find a sample link in our "Hello, World!" Tutorial.
(As oms-app-intent is not a valid domain, this is not working smoothly on all phones right now, sometimes displaying "Page not found" error in the browser.)
This is a brief overview of the functionality. For every screen, you can find a Help menu entry.
You have all the toolbox to encrypt and decrypt passwords, time-based OTPs or files on your mobile phone, create and import private keys etc.
The app will also respond to specific links in the web browser (as described here). Alternatively, you can select the oms00_.... piece of text on your phone and share it with OneMoreSecret (OneMoreSecret will register as a recipient of text data).
If you store your passwords on your desktop computer, omsCompanion will convert your encrypted data into a QR code sequence as soon as you copy it to your clipboard. So on your desktop, a window will pop up:
If we need more than one code, there will be a fast changing sequence of codes in this window, so that it takes maybe a couple of seconds to transfer all the data.
The App will then request the key from Android Keystore system. Android will ask you to scan your fingerprint, verify it and decrypt the message on behalf of the app (here are some technical details). Now you can either make your password visible on the phone or you just tell the app to TYPE the password back to your PC.
You will need a smartphone with Android 12 (API 31) or higher, a fingerprint sensor and a HID Bluetooth Profile (there is an app to test that).
On your Android smartphone, you will need to set up the fingerprint authentification from your system settings.
If your password database is on your decktop PC, you will also need omsCompanion. omsCompanion will generate QR codes from your encrypted data, making it readable for your phone. You can also use it to encrypt your secrets with the public key.
Once the password has been decrypted, you can auto-type it back to your PC. For this to work, OneMoreSecret acts as a bluetooth keyboard. See auto-type help page in the app for more details.
Google Play and the Google Play logo are trademarks of Google LLC.
Images:
Many thanks to the folks whose projects helped me to find my way through HID, encryption and other challenges: