1U Password Manager Review

These days we're just as likely to visit a secure site using a mobile device as a Mac or PC, so many modern password management utilities include the ability to sync with mobile devices. The free 1U Password Manager goes a step further; it manages passwords on your desktop, but actively requires that you use a mobile device for biometric authentication. I'm very impressed with the authentication technology, but not quite as impressed with the password manager itself.

There's no master password with 1U. It relies entirely on biometrics, specifically face recognition. With everyone constantly taking selfies, you won't look out of place when you authenticate by centering your face in 1U's field. There's only one you, and only your face can unlock your saved sites, according to the company.

Note that this product is specifically offered for personal use. The license agreement says so, and the installer warns that it might not even work properly on a business network.

Similar Products

LastPass

 

 

Check Price Read Our LastPass Review

4.0

Excellent

Dashlane

 

 

Check Price Read Our Dashlane Review

4.0

Excellent

PasswordBox Premium

 

 

 

Read Our PasswordBox Premium Review

4.0

Excellent

RoboForm

 

 

Check Price Read Our RoboForm Review

4.0

Excellent

LogMeOnce Password Management Suite Ultimate

 

 

Check Price Read Our LogMeOnce Password Management Suite Ultimate Review

Advanced Biometrics
In the movies, spies get past facial biometrics by displaying a picture of the account holder, or (shudder!) positioning the holder's dead body in front of the camera. These techniques probably wouldn't even get past 1U's basic biometrics, but, for added security, you can require a test of liveness.

1U's liveness detection relies on a simple collection of six facial gestures. You can raise your eyebrows, smile, move your head up and down, move it back and forth, and look left or right. At its simplest, liveness detection requires that you perform a single predefined gesture, prompted by 1U. You can require a sequence of two or three gestures, with prompts. At the toughest level, you must perform your gesture sequence by memory, without prompting from 1U. You can also add a TouchID requirement, if your iOS device supports it. Try faking that, James Bond!

Getting Started
You start by downloading the 1U app from the iTunes store or Google Play store. After installing the app, you create an account and confirm your phone number using a code sent via SMS. Once you've successfully recorded your facial biometrics, 1U will send an activation email. This email contains the link to download 1U's desktop manager to your PC or Mac desktop.

The desktop manager can import passwords currently stored in your browser, and optionally delete them from the browser's insecure storage when finished. Good luck finding this feature, though. It's well-hidden as the only action (other than "About…") on the 1U system tray icon's menu.

There's no option to import from Dashlane 3($0.00 at Dashlane), LastPass 3.0, RoboForm Everywhere 7($16.68 at RoboForm), or other popular password managers. You can't export your 1U data, but you can optionally back it up to Dropbox, either manually or on a schedule. Abine Blur($39.00 Per Year at Abine, Inc.) uses Dropbox too, but for synchronization between devices, not just backup.

On the desktop, 1U behaves as expected. It offers to capture credentials when you manually log in to a secure site. When you revisit a site with saved credentials, a 1U icon in the username field indicates that credentials are available. Click it to automatically fill them in, or to display a menu if multiple credential sets are available.

You can give each saved login a friendly name at capture time, or by editing the entry later. 1U will automatically categorize certain known websites; for example, it put my Yahoo mail login into the Email category. Of course you can change categories later. I did find that, although the category field allows data entry, user-defined categories aren't saved.

For the most sensitive sites, you can crank up security by requiring a degree of liveness, adding fingerprint recognition, or both. You do have to configure your gesture patterns before you can require liveness detection for a site.

Predefined Default Sites
1U's designers have analyzed 30 popular sites and created special forms for loading all necessary details. These include sites that baffle many password managers. In particular, 1U handles the two-part SiteKey login used by many financial sites.

I checked out the login system for the Bank of America site, which uses SiteKey. 1U included all necessary fields, including the account location and security questions. That information is important, because when you log in from an unfamiliar device the site will require additional information.

Hands-On With 1U
I created a 1U account and installed the plug-in for my browsers on two test PCs, then started logging in to various sites. It offered to save my personal Google and Yahoo mail logins, though it took unusually long to make the offer. 1U responded more quickly for several other sites.

Each time I added a site, I got a notification on my phone that the site list had changed. I didn't realize this meant I had to swipe down on the site list to sync the new entries. When I tried to log back in to my saved Gmail, I got a "Site not defined" error. Swiping to refresh the list solved that problem.

Changes on either one of the test systems visibly synced to the iPhone, but didn't automatically sync to the other PC. To pick up changes on the other system, I clicked the Sync button. Nothing seemed to happen, but when I pressed F5 to refresh the page in the browser, my new sites appeared. I did find it necessary to keep the iPhone out and ready, as most 1U events required presenting my face for recognition.

I tried and tried to make 1U capture my work Gmail account and alternate Yahoo account, without success. The only way I managed was to let Internet Explorer capture the logins and then import them. I could also have manually entered my credentials. My Hoyos Labs contact confirmed that 1U does not capture alternate credentials for a site that it has already recorded.

I discovered one interesting feature by accident. On the iPhone, a tab labeled Devices listed the phone itself and my two test PCs, with the iPhone checked as active. I tapped one of the PCs to make it active, then launched a saved website. After facial recognition, nothing happened on the phone. Instead, the site launched and logged in on the designated PC. I like that!

Face to Face with 1U

Each time I launched a saved site on the desktop, 1U pinged my phone requesting facial recognition. However, the app didn't always open to the recognition page. When it didn't, I had to cancel the login and try again.

I didn't have the greatest luck with liveness detection. 1U had a very hard time detecting raised eyebrows and glancing to the left or right, perhaps because I wear glasses. Even the head movement gestures weren't always recognized. The one gesture that always worked for me was smiling.

So, is liveness detection necessary? I snapped a selfie in the same office location I had been using for 1U authentication and printed it out in high resolution. The first time I tried to authenticate with the photo, 1U rejected it, warning that after five failed attempts it would wipe my account. But the second time, I logged in just fine using the photo. Liveness is important!

Mobile-Only Features
Some of the product's features are only available in the mobile edition. Password generation is one such, which seems a bit odd to me. I'm much more likely to use a desktop browser when creating a new account.

The password manager is also a tad disappointing. Even though the 1U website warns that a six-character password can be hacked in mere minutes, the default password length is six characters. You also don't get full control over character sets used. There are three choices: letters (both upper and lowercase), letters and numbers, or letters, numbers, and special characters (the default). There's also no guarantee that all the specified character sets will be used, especially when the password is short.

Swiping left on an item in the sites list brings up three choices. You can delete or edit the site's details, which you could also do on your desktop. You can also choose to share credentials with another 1U user, something you can't do from the desktop, though the site management list flags shared logins. The recipient of your share can use the login, but can't see the password. A similar feature in LastPass and Dashlane lets you choose whether or not to make the password visible.

What's Not Here
Dashlane, LastPass, and a few other top password managers can generate a password strength report with links to help you fix weak or duplicate passwords. Many competing products include the ability to fill Web forms with personal data such as address information and credit card numbers. Dashlane, PasswordBox Premium, and LogmeOnce Password Manager Ultimate handle inheritance of credentials in the event of your demise.

Password management in 1U is pretty basic, and doesn't include any of these advanced features. Unusually, it can't even capture a second set of login credentials for a given site. And, as noted, it won't import data from your current password manager. Still, it gets the job done.

Biometrics in the Spotlight
When you consider 1U Password Manager, the star feature, head and shoulders above anything else, is the advanced biometric authentication system. There's only one you, as they say, and only your face can unlock your stored credentials. Add advanced liveness detection and you've got a near-unbeatable authentication system.

The password manager component itself could use some work, in particular on the user interface. Important features are scattered, some mobile-only, others hidden in out-of-the-way places. You can definitely go ahead and give it a try—it's free, after all. For myself, I look forward to an update in which the password manager component is as impressive as the biometrics.

Our current Editors' Choice for free password managers is the venerable LastPass 3.0. LastPass 3.0 Premium($36 Per Year at LastPass) and Dashlane 3($0.00 at Dashlane), also Editors' Choice products, aren't expensive.

How Your Password Was Stolen