PicKey AI - Secure your master password with a fun memory you love!
by•
PicKey’s AI uses your favorite picture along with a 3D character to create an exceptionally strong Master Password. You no longer need to type or remember any text passwords. PicKey, being a visual password manager blends absolute security with effortless usability.
Replies
PicKey.ai
@ankita_jaitly That is the most important question you can ask.
The problem with traditional password managers is that they are 'Honey Pots'—they store a database of everyone's passwords. If that vault is breached (as we've seen with major competitors), everything is at risk.
We designed PicKey to be Architecturally Trustworthy, meaning we minimize what we store so we minimize what can be stolen:
Stateless Security (MagicPass): We do not store your website passwords. We regenerate them mathematically every time you log in. If hackers breached our servers tomorrow, they would find zero passwords to steal. We can't lose what we don't have.
Distributed Trust: We don't ask you to trust just one factor. An attacker needs your :
Physical Device (we do deep link verifications on the app)
Access to your Email (email is verified at important steps like login)
Your Image : your main master password. It is practically impossible to brute-force due to the number of combinations possible in an image, vs a text master password.
3D Collectable : the exactl 3D character used during login needs to be known.
Time Lock : All of this needs to happen in a limited timed window
We also use a unique KMS (Key Management System) envelope for every single user. There is no 'Master Key' for the whole database.
With practically infinite combinations in an image based master password, multi-factor verification and being able to manage passwords without storing them (MagicPass), we believe that PicKey is the choice that can be trusted because of how secuirity it is built architecturally.
Does it answer your question? I'd be happy to answer any followup questions you may have.
Swytchcode
Nice. How does it compare to Bitwarden?
PicKey.ai
@chilarai Thank you!
Great question! We have huge respect for Bitwarden—they are the gold standard for traditional vaults. 🏆
The big difference lies in how we handle the 'Key' and the 'Vault':
Visual vs. Text: Bitwarden relies on a complex Master Password (which is easy to forget or tough to type on mobile). PicKey replaces that with Visual Memory (a photo + 3D character). You can't get 'Keylogged' if you aren't typing! 📸. Not only it has higher entropy vs text master passwords, it is also visual and so has easy recall (usability).
Stateless vs. Stored: Bitwarden stores an encrypted database of your passwords. PicKey’s MagicPass generates them mathematically on the fly and never stores them. Even if we were breached, there are literally zero magicpass passwords to steal. 👻
Are you mostly happy with Bitwarden right now, or is the fatigue of typing that Master Password starting to set in?
I hope this answers your question. Let me know and I'd be happy to answer any followup questions you may have.
PicKey.ai
@pariksiit_s_shukla - thank you 🙌. Great question.
PicKey does not rely on a single factor for it's authentication. Even in a worst-case scenario as you've mentioned above, a attacker gets access to your photo library, they cannot bypass other factors. This is because we verify your :
Device (via deep links)
Email
3D Collectable (it is virtual, appears only during login/signup)
Timed Window (the "crack" attempt needs to happen within a short window)
Image (even if your library is public, wrong login attempts will notify you).
For even higher security, we recommend always taking the photo live from your camera and not depend on your library at all. We still respect user choice and there is an option to select the photo from the library, but a live camera photo simply removes this worst case scenario entirely.
Does this answer your question? I'd be happy to answer any follow-up questions you may have.
Nimo
PicKey.ai
@midhxn thank you.
Do you currently use a password manager? If so, what troubles you most about it?
Never seen an approach like this before, and I'm honestly impressed. swapping complex passwords for visual memory is so counter-intuitive, yet it makes everything feel much simpler. most security apps feel like a chore, but this one is surprisingly smooth to user.
PicKey.ai
@joeyzhang thank you for the kind words. Means a lot!! 🙌
Not only images contain exponentially more data (to act as stronger master passwords); it is estimated that they are at least 60,000 easier to remember to remember than any text based password.
We want to remove the gap between usability and cybersecurity as often the ones who need it the most, get bogged down by the usability aspects of managing passwords.
Congrats on this launch Gaurav!
I'm curious to know how did you handle the challenges of consistent on-device processing across different devices and browsers while maintaining high security and performance?
PicKey.ai
@cathcorm Thank you.! ! 🙌
Platforms like iOS (and Android) provide OS-level Native Password APIs to make on-device processing with careful updates only during specific lifecycle events. (creating, updating or deleting passwords). This helps us reduce processing to a limit.
The processing happens with end to end encryption and is optimized and serialized for payload, reducing the bandwidth payload as well.
Moreover, the back-end is built on capable infrastructure that can scale on demand, and the communication running on OAuth2.1 style PKCE flows.
So it is a mix of optimizations at device, communication, security and capacity levels - all coming togather to maintain high security and performance.
Does that answer your question? I'd be happy to help you with any further questions you may have.
@gaurav_upadhyay1 ohhhhhh i get it! thank you so much for taking to time, i really appreciate your deep dive :)
PicKey.ai
@cathcorm anytime..!
App Finder
Just tried it since developer messaged me and the idea sounded interesting and it got so many upvotes and comments here.
However, I'm not convinced at all.
To authenticate, you select a photo from your device (or another storage location). If someone gets access to your device, there's a significant chance he finds the key image by checking recently used files. The additional collectables might also be guessed by someone who knows you, at least if you chose one that's easy to access from the list.
Regarding taking a live photo every time, please provide an example of an object to use, obviously you'd have to always have it with you, only thing I can think of here would be something like my face, in which case it's classic biometric authentication.
Someone might watch you select the image and collectable. There's a reason password are by default not shown on screen.
The whole advertised authentication process is NOT USED when you open the app, even after restarting the app or phone. Instead the default iPhone authentication is used. So it's in effect not more secure than if you store your passwords with any text editor app that's protected by the default iPhone authentication.
With the Chrome extension NO AUTHENTICATION AT ALL is required to show the saved passwords ?!!! (and I don't find any setting to change that)
Additionally
iPhone app is 340MB ?! (and still the collectables are loaded from the internet afterwards)
was released Okt 2022 but has just 4 ratings
I really don't understand why this product is featured and #1 of the day. PH is broken.
PicKey.ai
@konrad_sx thank you for your questions.
Let me answer them :
The authentication is not just based on an image and 3d collectable. It is a combination of :
Your device (verified with deep links)
Email
timelock (process alerts if not done in a given time window)
Image (we recommend taking a live photo using the camera, instead of using a photo from library for better security).
3D Collectable.
Also, clicking the image from live camera, solves the device compromised problem.
The app requires physical possession of the device (deep links, email verification and timed windows) even if someone sees your, they cannot login due to these additional factors.
When you reopen the app, biometric re-authentication is enforced, which is a standard practice in password managers. For extreme security conscious users, do you believe having a full login again would give better security? (at the cost of usability).
In the app, passwords cannot be reviled without biometric re-authentication on device, are hidden by a string of asterix and have to be manually and are always stored encrypted.
The collectables are 3D files and is loaded on demand only when the user needs them.
We have just launched a complete rewrite of the older app incorporating all of the feedback we received from the previous version that was launched before.
I am happy to go over more points that you may have in terms of feedback, but we genuinely believe that the app considers all of these factors and balance usability with security.
App Finder
@gaurav_upadhyay1
Email authentication is not required to retrieve passwords. Device and timeclock is the same as any simple password manager. Regarding live photo, I had added a question in my comment, please provide an example of an object that's always available to photograph.
This is the same as with any simple password manager
As it is, it's not more secure than any simple password manager using biometric authentication only and encrypting the password in a standard way.
Why is the app so large?
Can you provide any authentic review since PicKey was launched in 2022, or any evaluation by an actual security expert?
You didn't comment that the Chrome extension reveals password without any authentication (I only tried with self-chosen password, maybe it's different with generated password, but in any case there is no reason to treat self-chosen passwords differently in this regard)
PicKey.ai
@konrad_sx thank you for the questions.
Let me answer them here :
1. For revealing each password (for certain highly secure user requirements), we can quickly add a on-device verification OTP. However this feature may be used by users who are extremely security conscious and do not value usability.
For objects that you want to always do a live camera photo of, could be as simple as your wristwatch/headphones/ or any personal treasure item that only you would want to remember as a master password. Not only that, you can click any public monument (for example statue of liberty that you can quickly find). The possibilities are endless, you can create multiple master keys using different images as well and use any of these keys to login.
2. If you are referring to re-verification on each password usage/autofill for specific advanced users, the one-time device code approach should solve it.
The entropy from an image is exponentially greater than any master password used in a traditional password manager. For a typical master password, we will have about 94 options per character (a-z, A-Z, 0-9 and special chars), whereas a single pixel can hold more than 4.2 billion combinations (RGBA). Over an HD image, the combinations are practically infinite times more than any traditional password manager with a text based master password.
The app has several user guidance tutorials for users to understand this novel innovation well and to hand-hold them wherever needed, and many of them are video files, which may be contributing to it's overall size.
This is our rewrite of the older app based on the user feedback we received. We will continue to incorporate user feedback in all aspects of usability and security.
I think for the app and the extension, for really advanced and security conscious users, we can enable one-time verification. But in terms of users, these are extremely small set of users, yet we will be happy to take feedback.
App Finder
@gaurav_upadhyay1 Thanks for your answers, but several of my main points have not been disproved, and my initial assessment that this password manager is very flawed, at least the current version, is unchanged. I'm certain no security expert would recommend it. I don't have time to engage in further discussion. If you at any time have an assessment from a real and independent security expert I'm happy to check it.
PicKey.ai
@sudhir_mishra1 Thank you so much, and it is a great question you have.
A complex text password is made from the keys of your keyboard, so you will have only about 94 options (a-z, A-Z, 0-9, special characters) per position to create this password.
Whereas in PicKey, a single pixel will have more than 4.2 billion combinations (RGBA). If you take a regular HD image, the possibilities are practically infinite compare to traditional complex text passwords.
Not only PicKey's Master Key is more secure to brute force, it is several times easier to remember because humans remember visual things much better than 16 digit complex passwords.
Does that answer your question? If you'd like I'd be happy to go into some more math in detail.
ConnectMachine
Is this app geared towards enterprise and B2B adoption too? Example, team access sharing?
PicKey.ai
@syed_shayanur_rahman great question. Thanks for asking.
The main invention is to use AI (and optionally Lidar) to turn photographic memory into an authenticator.
The natural entropy is practically infinite as it is unique to the world around each person (digital and physical) and is the main upgrade in terms of entropy based cybersecurity.
You are absolutely correct that the same tech/mechanism can be used to create other products like B2B and enterprise tech/team etc.
PicKey.ai - visual password manager is the first product we've created using this tech. But the main invention can be applied to several cybersecurity markets as you've pointed out.
Quick Question : in your opinion, which B2B/Enterprise applications will this be able to help the most?
MagicPass sounds powerful... how does recovery work?
PicKey.ai
@himani_sah1 thanks for your question.
When you create a MagicPass password in PicKey, we only store an index (like facebook is #3) and rules you need in your password (uppercase/lowercase/special chars .. etc) but do not store the password anywhere.
But when you autofill this password into facebook (or whatever website you've created it for), our AI + math, regenerates the exact same password value using several math functions that are run in a specific sequence.
You can think of it as a Deterministic Hash Generator, run in sequence with your photo's memory and rules as inputs.
Would you like a slightly more technical answer to this? I'd be happy to get into it too.