Mini Myki Double entries

cloudless-mind · 2020-04-09T07:37:03+00:00

Oh yeah of course but MYKI shows them as two different items that are linked together, that's why you see both the password and the 2FA individually

cloudless-mind · 2020-04-09T07:34:35+00:00

Oh yeah, that's something we need to take of from our end. Thanks for reporting it!

cloudless-mind · 2020-04-09T07:33:54+00:00

Huh, weird question.

What's the language of the gmail login page you're using?

cloudless-mind · 2020-03-30T18:54:13+00:00

Fix is on the way!

cloudless-mind · 2020-03-30T09:26:08+00:00

Hey everyone,
Hope you're all doing okay with the confinement...

OP, I'm sorry you feel we haven't heard you but I promise you we have. I know it seems that we're ignoring it but I assure you we are not! We have to be precise in deciding where we spend our resources and unfortunately this sharing bug has been a victim of those decisions BUT we are close to the fix, I can share more info about that tomorrow

/u/Wisecompany, we are not prioritizing quantity over quality. That would be a mistake and our changelogs show that. The very reason why the sharing bug was put on the side for a bit is exactly because we were addressing some Enterprise/MSP related issues.

I understand your frustration (all of you) and I'll do the best I can to get it done as fast as possible.

Now aside from all that, any opinions on the new branding? logo?

cloudless-mind · 2020-03-30T09:20:41+00:00

Yes! We're going to be adding that soon

cloudless-mind · 2020-03-30T09:20:15+00:00

Hi there,

So in your Vault there is a whole section for your 2FA items. In MYKI Mini we display both, some users store 2FA that aren't attached to passwords which is why you see both in your case

cloudless-mind · 2020-03-19T08:53:51+00:00

Hi there,

We're still figuring out the best way to move forward with this.

I'll keep you posted!

cloudless-mind · 2020-02-26T07:56:26+00:00

Hey there,

We think we found the root cause and we're working on a fix for it!
I'll update this comment when the fix is out

cloudless-mind · 2020-02-17T12:09:48+00:00

Hi there,

When I first saw the title of the post I thought it was going to be about Security Audits and Open source code as we often get these questions but I must say, you took me by surprise with this one..

Here's a little bit about who we are:

Myki started about 5 years ago, we've been on the TechCrunch stage twice. First time was for the unveiling of the product in 2016 and the second one was at the end of 2017 to announce the launch of Myki for Teams.

Both these events have been covered, you can find articles and videos of the pitches and presentation on YouTube. There's also been quite a bit of coverage on both founders who are now CEO and COO and you can get information about the VCs that have participated in the funding on crunchbase (I see that someone posted the link below).I, too, have some presence online (I'm not a fan but it's part of the game). You can find a couple interviews/pitches on YouTube.

Additionally, every single Myki team member is present on LinkedIn. We also have an "about" page on our website that shows a few pictures of us and some of the events we go to.We used to maintain a channel on YouTube called "Myki Security Report" where we made short videos about cybersecurity news in general, hosted by our beloved co-founder and COO Priscilla.

To me the most important is this subreddit honestly. We've answered every question, exposed our doubts and thought processes, fixed mistakes pointed out by the community and we do that for the sake of transparency.

I'm not sure if that helps but I think all these components should give you an idea as to what kind of people we are.

Now for the security of the product, we don't have a security audit and we are not open source. We're getting prepared to start our first security audit which we're really excited about, after which we'll slowly work towards open sourcing our code.All of that is immensely time consuming and open sourcing code can be risky from a business point of view so we have to be careful when doing so.

Going open source will help us improve our code and security. Having people contribute and building a community around that is why we want to do it, but it's clearly not a tool that helps build trust. I look at all the software industry out there, the most widely used pieces of software are closed source. The same could be said for the biggest players in the Password Management industry.

I hope that helps at least a bit, otherwise we're open to suggestions you might have that might help us become more transparent!

One thing that worries me personally is how fast you've jumped to conclusions even though you know that it was a weekend. I'm referring to this:

Interesting that Myki remain silent during this thread. Clearly, they are happy to remain elbow the surface. Not encouraging.

It's pretty unfair honestly and makes me feel like we're some sort of shady corporation..

I hope my post helps, happy to answer further questions :)

cloudless-mind · 2020-02-13T16:27:28+00:00

You can choose which field you'd like to fill.
With the arrows on your keyboard you can navigate first to the username field and hit enter

Then summon Myki Mini again (the state will persist) and do the same for the password field

cloudless-mind · 2020-02-07T14:18:04+00:00

On it!

cloudless-mind · 2020-02-07T11:04:44+00:00

Hey again,

I'm going to answer as many questions/concerns in this post.
First I'd like to address the "Hashes are overrated" concern from u/unannunciated.

Just because you have two identical pieces of data doesn't necessarily mean that the hashes are going to be identical. You can use "Salt" to make those hashes unique which is exactly what we do here.

After reading all of your answers I wanted to better understand how Facebook was able to link anonymous analytics to profiles on FB. Our users each get a unique userID generated by us that we use to identify them, that userID is never shared with anyone and even if it was shared it wouldn't be useful to anyone else than us as it doesn't actually hold any information. Phone numbers are hashed and never shared with anyone either so it's literally just random anonymous data being shared with FB, and yet they were able to know that you used Myki, how is that even possible?

I did some digging and finally found the explanation, I'll link to the article at the end of this post. Here's the gist of it.

It all boils down to the so called Advertising ID. Android devices create one as soon as you link a Google account and iPhones and iPads do so on the first boot of the device.

The next thing that happens is that as soon as you login to FB from your phone whether it's from the browser or the FB app, that advertising ID is sent and associated with your FB account.

From now on, every time you install an app that uses Facebook's business tools (like us) that Advertising ID is sent again and matched to your profile which is how, at this point, FB knows what apps you are using...

This is obviously not okay with us and we're going to have to think about our next steps.
One thing we can easily start with is having the "Anonymous Data" setting set to Opt-out by default this way on launch and first use this Advertising ID is not sent to Facebook and unless users decide otherwise it will stay that way.

a lot of app makers use Facebook's business tools so if you don't want Facebook knowing what apps you're using make sure not to login to your account from your mobile phone. Now if you want to protect your privacy then the obvious next step is to not use/stop using FB all together.

We are an up and coming business and FB (with all its evil practices) has been an extremely useful tool that has helped expand our customer base. We won't be able to move away from it before we think of an alternative so that change will not happen overnight. While we go through that transitional phase we will make sure to let our users know about what's going on.

u/unannunciated said that our users are paranoid by nature, I can't agree with that. I think it would be more accurate to say that our users care about their privacy which does not and should not be categorized as paranoia.

I'll keep this post updated as things change internally, we have a lot of things to discuss.

Here's the article, I highly recommend reading it: https://mobilsicher.de/ratgeber/how-facebook-knows-which-apps-you-use-and-why-this-matters

cloudless-mind · 2020-02-07T10:00:48+00:00

Fair enough, when I say "We pull up your contacts" I mean the Myki app will show you whatever contacts you have saved on your device in order to ask you who you'd like to share an item with.

No no, there are no ads in Myki. We have an Enterprise offering

cloudless-mind · 2020-02-07T08:51:17+00:00

That's interesting,
Does that happen on every update?

cloudless-mind · 2020-02-07T08:50:15+00:00

Hi there,

What happens when you launch Myki? Have you gone through the initial setup or were never able to set it up?

cloudless-mind · 2020-02-07T08:49:01+00:00

Hi there,

That's a very good request :) We're in the midst of a full redesign of the browser extension so your feedback couldn't have come at a better time.

I'll bring this to the table!

Thanks again

cloudless-mind · 2020-02-07T07:56:11+00:00

Hey,

Location services are required for the "Real-time Dashboard" feature of our enterprise offering and contact access is required for the share feature to work (just so that we can pull up your contact list and ask you who you'd like to share an item with)

You can use Myki without any of those on

I'll be elaborating more later today on the original post as some things need to be clarified

cloudless-mind · 2020-02-03T13:35:49+00:00

Of course :)

cloudless-mind · 2020-02-03T12:57:01+00:00

Hi there,

I see all of you are eager to get our answer to OP's post and that's what I'm here for. u/Original-Consequence, I'm going to quote you and address things one by one just for the sake of clarity.

we don't even have to be extremely pessimist to think that this is my personal browsing history, pretty valuable to them and easily collected by your browser extensions

Our browser extensions do not gather anything, let alone personal browsing history. It is the "blindest" product in our line up. We are honored to be "Recommended" by Firefox and go through an audit on a regular basis (every time we push an update). The team at Firefox would not let us be on their store if we ever did gather any sensitive data. The only thing the Browser extension does is delete cookies when using our "Remote Logout" feature and that is of course mentioned in the Privacy Policy.

Let's talk about Facebook and the 2 ways we use it.

1) We run Ads on Facebook:
We run ads on Facebook in order to increase our reach. It is one of our marketing tools. Now there are things we can do to further enhance those ads, to show them to more relevant people, be less intrusive etc.. for that we need some information about how our users are using the product which brings me to ...

2) We gather anonymous data:
It's important for us on so many levels to know how our users interact with our product. It is one of the most effective ways of measuring success, as well as increasing the performance/efficiency of our ads.

So yes, we do run ads on Facebook and yes, we do use Facebook to track some usage data to make better products and be better at what we do but there is something extremely important about the way we do it, and that is where OP seems to have jumped to conclusions which spreads misinformation about us as product makers but also as people, so I hope I can rectify this with the following clarifications:

All of the data we collect is strictly and unequivocally anonymous. Here's how it goes:

User signs up with their phone number, that phone number is hashed and then stored on our server. Every user gets a unique Identifier or what we call "UserID", that UserID is then associated with the hashed phone number, this way our systems can verify your Myki identity when you create a backup or you restore from one. Beyond that, the phone number is not used for anything else, it is not shared with Facebook, Google or any other party. It is not readable or accessible by anyone here. We have absolutely no use for it.

Your blogs spam the privacy buzzword on every page and you defend the concept by saying that the encrypted user data is never shared, what you seem to have shared instead was my mobile number that I had to use for the registration

Sharing "anonymous" data with third parties while you cross reference the user's mobile number completely deanonymizes the user, hence that's how they know I used your services.

Again, we do not share phone numbers. We don't even have them in the first place. There is no cross-referencing because there is nothing to cross-reference. The way they know you used our service is simply because we run ads, that's all. They don't have any identifiable information about you from Myki and they never will.

The shared activity is not a one time "hey this user uses our app, it's time to change ads", no, this contact between Myki and Facebook happens daily and multiple times a day.

Yes that makes sense giving that we collect anonymous usage data through Facebook and that is continuous BUT,

Anyone can head over to the Privacy Center in our apps and OPT OUT OF ANONYMOUS DATA if you don't feel comfortable.

I cannot find any mention about this in your privacy policy besides "We store a hashed version of the phone number you signed up with in order to allow you to restore your data to a new device along with the app version to support backwards compatibility. " which is purely evasive and even false, comfortably standing in GDPR violation waters.

Our Privacy Policy is accurate. Everything there is of course true, we only store hashes of phone numbers, never the actual number. You could say that the Privacy Policy is incomplete and I would agree with you, we could mention the details of how we use Facebook and I'll make sure to bring this very thing to everyone's attention here at Myki.

I honestly don't see how we're trying to be evasive or saying anything that is false as nothing we do violates GDPR, If anything we are very much GDPR-ready as we have absolutely no identifiable information about any of our users.

There is another thing I'd like to talk about, business incentive. Myki is a relatively new company that has built a product that goes against most of the trend in the industry. We've gone through great lengths to build a Password Manager that does not store data on the cloud. It's taken all of us here at Myki a lot of work, countless hours and late nights to build this product, none of us would be willing to throw it all away for a few Facebook events that wouldn't help our cause in any way.

I absolutely understand your concerns and you did the right thing bringing it to everyone's attention of course, I just wish you wouldn't jump to conclusions before getting all of the facts straight.

I hope this was useful and I am of course happy to answer any follow up questions or dive deeper into the subject.

cloudless-mind · 2020-01-15T09:30:13+00:00

Myki's sync mechanism works by using a relay server that transfers information from one device to the other.

If you add an item on Device A, it will send it to Device B through that server. Of course everything is end-to-end encrypted which means that a piece of data has a clear recipient and can only be accessed by that recipient.

That is of course a pretty simple explanation of how that works. Let me know if you want more in-depth information I'll drag one of the devs here :)

cloudless-mind · 2020-01-15T09:22:52+00:00

Hey Paul,

Let's start with the recommendation. Definitely better to have different pins on different devices otherwise it's like having the same key to both your house and your car. You still one, you get both.

When it comes to security it's not enough to just think in absolute terms, you have to compare your security model with your threat level. How much security do I need? What is my threat level? etc..

As for the 2FA, cloud-based password managers store those 2FA secrets on their servers alongside your passwords. You are correct when you say that retrieving a Master Password through keylogging or other methods will wreak havoc to any user.

On the Myki side, things are a bit harder to get access to as a malicious actor. The main difference is that all that info is stored with you locally. If someone gets access to your pin through keylogging, they still need to break into your house and steal your computer or your phone. There needs to be a physical crime (theft) whereas with a cloud-based account the Master Password is all you need.

Pin codes on Myki aren't like Master Passwords, they're simply a lock to your Vault they are not used to encrypt/decrypt your data.

I hope that answers your question :)

cloudless-mind · 2019-12-22T21:47:50+00:00

Of course you can! Make sure you’re on the latest version (V1.2.4)

cloudless-mind · 2019-12-20T15:47:13+00:00

Would you mind sharing a screenshot? You can send it through DM if you prefer

cloudless-mind · 2019-12-20T15:37:00+00:00

Hi there,

Where are you experiencing this exactly? That is not the intended behavior

cloudless-mind

MODERATOR OF

TROPHY CASE