When you enable the biometric unlock feature, you can access your logins stored in ExpressKeys without typing your vault password, making it easier for you to take control of your password security.
ExpressKeys was built according to industry best practices for secure apps and cloud infrastructure, including conducting extensive threat models and security assessments.
ExpressKeys cannot access your biometrics data
ExpressKeys is only notified about whether the biometric authentication is successful or not by Android. It can neither access nor store any data associated with the enrolled biometrics.
Your vault password keeps your data protected
The biometric unlock feature does not replace your ExpressKeys vault password or weaken the security of ExpressKeys.
Even when the biometric unlock feature is enabled, your data stored in ExpressKeys is always encrypted with your vault password and protected at all times by zero-knowledge encryption.
Biometrics and vault password security
When you enable the biometric unlock feature:
- An encryption key is generated by Android and held by Android Keystore.
- Your vault password is encrypted using that key; the encrypted version is securely stored and can only be accessed by the ExpressKeys app, but not any other apps or services.
- Upon successful biometric authentication, ExpressKeys gets access to the encryption key held by Android Keystore and uses it to decrypt the vault password and unlock your logins stored in ExpressKeys.
When you disable the biometric unlock feature:
The encryption key held by Android Keystore and the encrypted version of your vault password are deleted immediately.
When you sign out of or uninstall the ExpressKeys Android app:
Your vault password is removed from Android Keystore by ExpressVPN when you sign out of the app. When you uninstall the app, both the vault password and the encryption key are removed from Android Keystore.
When a new biometric is added to your Android device:
- The encryption key held by Android Keystore is invalidated and the encrypted version of your vault password is deleted.
- You will no longer be able to unlock ExpressKeys with biometrics, until you enter your vault password again. This ensures your logins are safe even if someone is able to add their biometrics to your device without your consent.
Need help? Contact our Support Team for immediate assistance.