cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

TrueKey sign-in with password re-prompt is _less_ secure than without re-prompt.

I have most of my TrueKey logins setup to not require password reentry.  This means when I navigate to a site, my username/password is auto-filled into the site.  For a few of my more sensitive accounts I have them setup in TrueKey to re-prompt for a password.  The problem is that for those sites my username and password are _not_ auto-populated.  This means I have to leave the site I'm on, search for it by name in the TrueKey app, copy the password (which requires password entry) and then paste it into the target site.

This is not particularly secure for a couple reasons:

  1. My password ends up in my clipboard which can be read by malicious websites and applications on my computer.
  2. It opens me up to phishing attacks.  For auto-login sites, TrueKey will only populate the username/password for domains that are an _exact_ match, which protects me from someone phishing me with g0ogle.com.  However, because I have to manually search, I am no longer protected from phishing attacks.

Mitigation suggestion is to handle this similar to LastPass and make it so I can click on the extension, right-click on the page, or click on the input form to autofill for me.  If the account requires a password reprompt then do so in a separate window/tab and once complete auto-fill the page.

I believe LastPass handles this on a technical level by having password reprompts last for some number of minutes, which avoids the need to synchronize the different tabs.  When I enter my password into LastPass, it unlocks all of my accounts for some short period of time and any tabs that are polling for login details will get through once I unlock my account.  I find this to be quite reasonable, and sometimes even preferrable because LastPass also lets me choose to "not reprompt again for X minutes" which is useful when I am having to enter my password a few times for something.

How Many Badges Can You Collect?
Ready for a little competition? Members like you are earning badges and unlocking perks for their helpful answers. Are you? Click here to find out.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community