Home

OneMoreSecret

OneMoreSecret is a decentralized secrets manager that leverages your smartphone's hardware keystore and biometric authentication to protect your passwords. Instead of relying on a cloud database, your sensitive data (e.g. passwords, TOTP tokens, files, and Bitcoin private keys) are encrypted into QR codes or text payloads that can be safely embedded anywhere — even on a public wiki or plain text file.

What's wrong with password managers?

In the early days, the computers were not password protected. The first password dates back to 1961. As things got worse, password policies were born, together with the recommendation to have separate passwords for every application. This is how the password manager came into being - as a workaround for the password policy. You kind of have different passwords for every service, and still, there is only one password.

Don't get me wrong, KeePass and others have been doing a great job. But here are some concerns:

1. A security software with millions of installations is very attractive to hackers.
2. If you know the master password, you have access to the entire database. Not only you get a list of passwords, you also know where to log in - a typical password manager stores everything in one place. If you are extraordinary "smart", you will also store your One-Time Password configuration in your password manager, thus bypassing the very idea of the Multi-Factor Authentication.
3. Even if there are some additional security measures to protect the password database (e.g. entering your password using Windows secure screen or protecting the database with the password and a key provider or a secret file), they are often not active in the default configuration of your tool.
4. If you have gained access to a cloud password storage, you can collect literally millions of password databases!

My personal nightmare is a hidden code change in a password manager making it send the data to a third party. And yes, code changes to a cloud software apply for all customers the same minute they are deployed... 💣

Why OneMoreSecret?

...well, I am probably not the only one wondering if we are really better off with password managers or just storing all our credentials in one place for someone to come and collect them all at once. Maybe not today, but tomorrow...

If there is a vulnerability, there will be also an exploit for it. And it will work for a typical configuration. It is a good idea to be among those 1% with a setup, where the exploit will not work.

...and I am fed up of typing my master password 40 times a day! 🤬 If you enter your master password on multiple machines and different platforms many times per day - is it still something you call secure?

So here is the wish list I wanted to implement with OneMoreSecret:

No Master Password

The encryption used in OneMoreSecret is based on keys, not a password phrase. Yes, it's the old good asymmetric cryptography wrapped into a handy tool.

No Context

Every password is stored separately in its own encryption envelope. And every password is sent to the phone for decryption separately and without context. So even if someone steals a password from your phone, he will still have to figure out, what it is good for.

Store It Your Way

It's your problem choice how to store your credentials. The recent addition to OneMoreSecret ecosystem is oms4web, a password manager tightly integrated with OneMoreSecret and following the idea of context separation. Being a convenient way to organize passwords, it delegates decryption to the Android app. Give it a try!

You could use a text file, Excel, Google Sheets, Simplenote or any other software. You could also conitnue using KeePass (it has a very comfortable user interface after all ❤️) or a password manager of your choice and put your encrypted password into the password field:

If your master password has leaked, the guys will still end up with encrypted passwords.

⚠️ Whatever you are going to use, think of regular backups, versioning and the offline capability of the software. A pure web application might be unavailable the very moment you need your passwords whereas a cloud storage client can be set up to have also a local copy on your device (here's how you set it up for Google Drive).

No Private Key Exposure

The keys you import into the app are protected by the hardware-based Android Keystore system. Once the key has been imported into the storage, it cannot be extracted from the phone any more.

The only way to restore your private key is the backup document together with the transport password.

⚠️ DO NOT share this document and password with others as this will grant access to all data encrypted by this private key.

Login without a password

...yes, I know, there is FIDO2. But hey, with OneMoreSecret, your users can share their public key with you - with just one click. Now you can generate a one-time verification code for the user, encrypt is with his key and show it as a QR sequence on your login page (omsCompanion has already all the logic written in Java, and oms4web uses exactly this procedure for the quick unlock functionality).

Login from a mobile device? No problem, OneMoreSecret will respond to browser links. "Hello, World!" Tutorial, Step 5.

How It Works

This is a brief overview of the functionality. For every screen, you can find a Help menu entry.

On Your Smartphone

You have all the toolbox to encrypt and decrypt passwords, time-based OTPs or files on your mobile phone, create and import private keys etc.

The app will also respond to specific links in the web browser (as described here). Alternatively, you can select the oms00_.... piece of text on your phone and share it with OneMoreSecret (OneMoreSecret will register as a recipient of text data).

On Your Desktop Computer

If you store your passwords on your desktop computer, omsCompanion will convert your encrypted data into a QR code sequence as soon as you copy it to your clipboard. So on your desktop, a window will pop up:

If we need more than one code, there will be a fast changing sequence of codes in this window, so that it takes maybe a seconds or two to transfer all the data.

Decrypting the Data

The App will then request the key from Android Keystore system. Android will ask you to scan your fingerprint, verify it and decrypt the message on behalf of the app (here are some technical details). Now you can either make your password visible on the phone or you just tell the app to TYPE the password back to your PC.

Setting Things Up

You will need a smartphone with Android 12 (API 31) or higher, a fingerprint sensor and a HID Bluetooth Profile (there is an app to test that).

⚠️ As the whole thing relies on Android OS and hardware security mechanisms, and every manufacturer has his own hard- and software behind the key store implementation, it's a good idea to choose a smartphone from a renowned manufacturer. We have also seen compatibility issues with older phones which received an Android OS upgrade, but seem to have the older key store under the hood.

On your Android smartphone, you will need to set up the fingerprint authentification from your system settings.

If your password database is on your decktop PC, you will also need oms4web or omsCompanion. These apps will generate QR codes from your encrypted data, making it readable for your phone. You can also use them to encrypt your secrets with the public key.

Once the password has been decrypted, you can auto-type it back to your PC. For this to work, OneMoreSecret acts as a bluetooth keyboard. See auto-type help page in the app for more details.