-
Notifications
You must be signed in to change notification settings - Fork 16
2. Authentication
SecureFolderFS offers a range of authentication methods to suit your preferences. In addition to configuring a primary credential, you can optionally set up two-factor authentication or complement your primary login method (see Complementing Primary Credentials below).
Supported authentication methods include:
- Password
- Key file
- Windows Hello
- Android Biometrics
- Apple Face ID, Touch ID
- YubiKey (coming soon)
For added convenience, you can set up an alternative authentication method to use alongside your primary one. To enable this, choose your preferred secondary method and select the "Complementation" checkbox. You will then be able to log into your vault using either method.
Be aware that disabling or modifying biometric authentication methods through your system settings may invalidate associated cryptographic keys, making vault access impossible without recovery:
-
Windows Hello – Changing or disabling Windows Hello in your system settings will invalidate stored keys in the Trusted Platform Module (TPM), preventing vault access.
-
Apple Face ID, Touch ID – Modifying these settings will invalidate keys stored in the Secure Enclave, locking you out of your vault.
-
Android Biometrics – Adjusting biometric settings may invalidate keys in the Android Keystore System, resulting in loss of vault access.
Important
To avoid these issues, either remove the associated authentication method beforehand from 'Vault Properties' or use your Recovery Key to reset your credentials.
This section outlines key security practices and features you should be aware of when using the app.
When you create a new vault, a private, unique, and immutable Recovery Key is generated. This key is used exclusively to regain access to that specific vault and can be used at any time to recover or reset your associated credentials.
It is strongly recommended that you securely save, print, or write down the Recovery Key and store it in a safe location. Alternatively, you may store it on an external device such as a USB drive — ensuring in all cases that only you have access to it.
Note
If a Recovery Key is ever compromised, you must create a new vault, which will generate a new Recovery Key.
Warning
If you lose your Recovery Key, you will not be able to regain access to your vault in case you lose or forget your credentials. Data recovery is impossible without the recovery credentials.
In addition to Recovery Keys, the security of your access credentials is critical. Use strong, unique passwords for each vault and avoid reusing passwords across different services. Where supported, enable biometric authentication or hardware keys to enhance security.
Never share your login credentials with anyone. The application does not store plaintext passwords, and even developers cannot retrieve your vault contents without your attestation.