heylogin

The way I look at heylogin, is that it's a nice password manager for less tech-savvy people. The point of this password manager is that you actually don't have to remember any passwords, which is especially good for people who tend to forget their passwords. Heylogin is as secure as your phone, so if your lockscreen sucks, your passwords could be easily compromised. Technically, if you lose your phone or it gets stolen, provided you have a good PIN on your lockscreen, you shouldn't have a problem.

The vault backup feature is also a nice way of deactivating the old device. It is a cloud-based password manager, so it will never be as secure as an offline one, like KeePassXC. However, I will say this: using this is better than reusing passwords.

The main advanteges:

• Very convenient and easy-to-use.
• Supports secure password generation and you can easily and seamlessly create new logins with it.
• The login overlay feature works quite well, suprisingly. I haven't ran into any major problems using it yet.
• Supports TOTP for login entries, meaning it can act as your 2FA app for an even more seamless login flow.
• Has a security whitepaper.

The main disadvantages:

• Not open source. This removes a huge chunk of trust, this is probably the main reason why this is not my main password manager.
• Limited language support. Currently they seem to only have English and German languages. When I asked them, they've said they are looking into community translations.
• Entries are mainly for login. Credit card entries are coming soon. Secure notes are kinda supported, but you have to misue the login entries by not adding any usernames or passwords.
• Browser addon pop-out is not very usefjl. Login management happens in a web UI, which is fine, but sometimes less ideal.
• No desktop app for login management.
• Their team is quite small, so development is a bit slow.
• They seem to focus more on corporate usage (managing company logins) than on personal usage. I think this is somewhat a missed opportunity, however, I heard there will be some new features for personal as well this year.

More info about the smartphone login process and potential issues with it:

• When adding a new browser, you scan the QR code in the heylogin app and it logs you in on the PC and you can manage your logins immediately. You can also install the heylogin browser extension if you haven't already and that is responsible for creating the login overlays on external sites, providing a convenient login experience. No problem with this, provided you don't scan random QR codes, especially not in your password manager.
• If you are logged into a browser, you will be timed out after 15 minutes (this is the default, you can adjust on the web vault). This only prevents the management of logins, which prompts a notification on your smartphone, which you can approve and then you can manage logins again. This does NOT prevent whoever is using the computer from logging into external sites with your credentials, however.
• After 24 hours you will get "logged out" from the browser extension and web vault. This WILL prevent users from login management AND using the credentials on the websites, and attempting either will prompt a notification/login on the smartphone which can be approved with one tap. You can also manually log out using the smartphone.
• You can completely "delete" a browser on your phone, logging you out and removing it from that browser completely. You need to setup that browser using the QR code again later, if you want to.
• This "one tap to login" has flaws in my opinion. The lockscreen protects unathorized personnel to unlock your password manager, but if you have biometrics set up, touching the fingerprint reader instantly logs you in. The smartphone login overlay also shows up on the lockscreen and does unlock the moment you provide your fingerprint. Not sure about iOS, FaceID. You CAN deny these login attempts by pressing the 'X' on the top right corner but the user at your computer can just try again. You can, of course, "delete" the browser as described earlier than they are out of luck...
• But they aren't. You see, heylogin has a backup feature, in case the QR code can't be read, where you can instead use the email address and login that way. Imputting your email address will send a notification to log in, but you have to input the code shown on the computer's screen to actually login. This has a major flaw, as you can deny the request, but they can just try again and again forever. No way of banning these attempts at all. Yes, an attacker can't login this way, beacuse you need to use the correct code, which changes every attempt, but they can annoy the hell out of you. I've already made the devs aware of this issue and they said they are working on it. Still, it's a big bummer this slipped past right them.

All in all, it's not as good as Bitwarden or KeePassXC, however, I can still recommend it, especially for less tech-savvy people, as not having to remember passwords is huge. Also, having this password manager (and possibly having the TOTP codes inside) is still miles more secure than reusing passwords and not having 2FA.