McAfee True Key Review
A highly user-friendly and secure password manager, we hesitate to truly recommend McAfee True Key to anybody except large businesses. While it has the best multi-factor authentication functionality out there, it's weak on features and a bad fit for individual users.
Free plan available
Formerly True Key by Intel Security, True Key is now owned by McAfee, an antivirus provider that we think is about okay, as you can see in our McAfee Total Protection review. This password manager, which is included with Total Protection, has an interesting focus on multi-factor authentication, so much so that it lacks functionality we’d expect from similar software.
In this True Key review, we’re going to cover everything we liked and didn’t like after spending time with it. We’ll discuss features, pricing, user-friendliness, security and support before giving our verdict.
True Key is one of the most user-friendly password managers, but it won’t be making our best password manager guide without serious updates. This auxiliary product feels similar to other McAfee acquisitions, most notably TunnelBear (read our TunnelBear review).
Like that virtual private network, it performs its namesake function well, but doesn’t stand out.
- Free plan
- Multi-device sync
- Multiple authentication options
- Simple interface
- Stores multiple entry types
- Lacking features
- Limited import options
- No custom fields
True Key lacks features. Its claim to fame is its robust number of authentication options, which sets it apart in the password manager market. Other features are missing or subpar versions of options available elsewhere.
The basics are there, though. True Key supports multi-device sync on its free and paid plans, with support for Windows, macOS, iOS, Android, Chrome, Firefox and Microsoft Edge. Those who use Edge get a few interesting features, including authentication with Windows Hello and Windows face recognition.
Despite supporting multiple operating systems, True Key doesn’t offer a desktop experience. You can download a local application, but it’ll just open your default browser. There are dedicated apps for iOS and Android, though.
Depending on the device you’re using, you’ll have up to seven ways to authenticate. The full list is in the security section below, but we wanted to highlight it here, too. True Key is unique in that it can be passwordless, allowing you to authenticate with any combination of the seven factors available. That has upsides for security and ease of use.
There aren’t any other features of note, though. True Key lacks basic functions, such as password sharing. Keeper is another feature-light password manager, but it still includes sharing, application auto-fill and a small amount of cloud storage (read our Keeper review).
Contrasted with options like Abine Blur (read our Blur review), True Key doesn’t look great. For around the same price, Blur offers extras such as a tracker blocker, email masking and vault backup.
True Key is dedicated to ease of use and, while we commend it for that, we can’t ignore the lacking feature set. Including basic functions, such as password sharing and application auto-fill, would only enhance the product, not detract from its clean aesthetic.
Even with the low price factored in, True Key doesn’t hit the mark set by other password managers.
Despite offering a free and premium option, True Key really only offers one plan. The free version is so limited in functionality, we are hesitant to call it anything more than a trial. Even so, the premium price is cheap enough that an upgrade is justifiable.
1-year plan $ 1.67/ month
$19.99 billed every year
The only difference between the two is the number of entries you can store. The free plan offers 15 and, while it also includes multi-device sync, it won’t be making our list of the best free password managers. Compared to LastPass, which offers unlimited storage and multi-device sync for free, True Key’s free plan doesn’t look good (read our LastPass review).
It should be noted that the 15-entry limit is specific to passwords. Storing notes, addresses, credit cards or anything else won’t count toward it. That makes the free plan more appealing, but you’ll still hit the ceiling for passwords quickly.
Premium can store unlimited passwords or, more specifically, up to 10,000. That’s the only difference between the plans, and it makes the value proposition strange. Instead of hiding additional features behind the paid plan, McAfee cuts the number of entries for the free plan, which forces you into paying.
We’ve already gone over True Key’s lack of features. A more robust set on the paid version and higher password limit on the free one would make it feel more well-rounded.
True Key’s strongest area is user-friendliness. It’s a web-based password manager that makes adding and organizing your passwords simple. While the auto-fill and auto-capture are rough around the edges, it still provides a good experience.
Installation is as simple as signing up for an account and allowing the browser extension to install. Clicking the extension will bring up the web interface in a new tab.
Setting Up Your Passwords
There are a few ways to add logins from there. If you’re coming from another password manager or have passwords insecurely stored in your browser, you can import them by clicking the gear icon in the top right corner and selecting “import.”
True Key accepts files from LastPass, Dashlane, Lenovo ThinkVantage, Chrome, Internet Explorer and Firefox.
Unfortunately, there isn’t an option for a generic .csv file. If you’re importing, you’ll also need to download the True Key desktop application. The program is solely for password import, as it just redirects you to a login page for whatever you’re trying to import from.
It isn’t a bad system, but it doesn’t feel optimized. Dashlane, for example, prompts you to import passwords from your browser during setup (read our Dashlane review). Most password managers handle import with a .csv file.
True Key, on the other hand, requires a 75MB desktop application that doesn’t seem to serve any real purpose.
Manually adding passwords is a good experience, though. From the main window, click the “add new login” button. It gives you three options: “import,” “browse” and “manual.” If you’re manually adding a password, there are fields for the entry name, the URL, your username and your password.
True Key doesn’t allow attachments or custom fields. While there’s an argument that not doing so helps user-friendliness, 1Password shows you can offer that level of customization without sacrificing usability (read our 1Password review). You can add custom notes to a password, but only after you add it to your vault.
While editing, you can configure three other parameters. You can make True Key ask for your master password each time you land on the URL tied to a particular entry, setup instant login and force True Key to only auto-fill on a specific subdomain.
The final option is to browse the internet and allow True Key to capture your logins as you go. That is the least intense method, as you’ll build your vault just by using the internet. True Key’s capture worked well, but it missed a few times, forcing us to log out and back in to try to capture it again.
True Key also supports notes, credit cards, addresses, passports, social security numbers, memberships and driver’s licenses. Each of those can be color coded, which is something we wanted to see for passwords, too.
Using True Key
True Key is unintrusive after you setup your passwords. You can use standard auto-fill or True Key’s instant login feature. Instant login will automatically fill and send your login data whenever you load the URL tied to the entry.
We tried to break this system by adding two PayPal accounts and setting them both for instant login. Sure enough, when we loaded PayPal, True Key didn’t attempt to log us in. After trying to do so manually, it pulled up both entries on our account and asked which we wanted to use.
Instant login worked well, when typing in a URL directly and when clicking on an entry in our True Key vault. The other aspects of True Key suffer, though, especially the browser extension.
The extension is simply a link to your vault. Clicking it just opens a new tab. You can’t view or edit your entries without opening the application. The biggest issue, though, is that it even forces you to open a new tab to generate a password.
There are similar usability problems with the mobile app. As we’ll discuss in the next section, True Key has a strong focus on multi-device authentication, so you’ll want to set it up on your mobile device. That isn’t too difficult, but you still have to enter your username and password.
A system like RememBear offers, where you scan a QR code to authenticate your mobile device, would work better (read our RememBear review).
Despite multiple references to the True Key white paper and an attempt to find it with support, we couldn’t find security documentation. The only thing we have to go on for this section is a short security FAQ in McAfee’s knowledgebase.
True Key uses end-to-end encryption, meaning no data ever leaves your device without first being encrypted. All encryption and decryption happens locally, too. True Key is zero-knowledge in its design, so no readable data is ever sent or stored on McAfee’s servers.
Data is encrypted with AES 256-bit, arguably the strongest blockchain cipher available, as you can read in our description of encryption. The key is generated from a salted version of your password, so brute force attacks are unlikely to be successful.
McAfee’s support documentation also references an RSA-2048 key used for password sharing. That is a method of encryption used for data in-transit where a public and private key pair must match to decrypt. What’s strange is that we couldn’t find password sharing options in True Key’s interface.
Like the numerous references to True Key’s white paper, password sharing looks like a future feature that McAfee got too trigger happy with.
There are unanswered questions. We’re uncertain how McAfee’s authentication works on a technical level and how secure instant login is. Support told us that a white paper that would likely answer our questions existed at one point, but has since been taken down.
The question is why. On its face, True Key is abiding by the standards we’d expect from a password manager with a zero-knowledge model, end-to-end encryption and a top-level cipher. Everything looks fine, but we can’t accurately compare it to the rest of the market by relying on a brief knowledgebase entry.
A Focus on Multi-Factor
True Key focuses on multiple factors to authenticate your devices. Across the four platforms it supports, there are seven ways to log in. Some operating systems won’t support all the login methods, though. For example, Windows Hello is, of course, only supported on Windows.
Here are all the authentication methods:
- Second device
- Master password
- Trusted device
- Windows Hello
We tested True Key mainly on a Windows desktop using Chrome. With that configuration, we were able to add four factors: password, email, device and second device. If you were using Edge, you’d be able to use Windows Hello, and if you had a fingerprint scanner and webcam, you could authenticate with those.
While you can setup all those factors, you won’t use all of them when you log in. True Key offers “basic” and “advanced” security in the settings, which translates to whether you want single-factor authentication or two-factor authentication.
It is configured for single-factor authentication by default. True Key will use your device key, which is generated during setup, and your master password to unlock your account. Switching to advanced will allow you to authenticate with a second device, fingerprint, face or Windows Hello, as well.
You can only choose two factors, though, and your master password doesn’t have to be one of them. You can go passwordless with True Key, authenticating with any two of the other options.
That brings a unique benefit with it. You can reset your master password with True Key, a feature that almost no other password managers have. As long as you’ve set at least two other factors up, you can use them to unlock your account and reset your master password.
Just because you can go passwordless doesn’t mean you should, though. A strong master password is still your best defence, as biometric authentication has its own security vulnerabilities. Even so, setting up multiple factors on your account can give you a backup plan in case you forget your master password.
True Key doesn’t use code-based authentication. You’ll never be sent a message and asked to enter a code to confirm your second factor. Because of that, it doesn’t integrate with the best 2FA apps and can’t be setup with hardware keys, such as YubiKey.
McAfee offers live chat and phone support around the clock, but you’re better off trying to fix problems yourself. The DIY options provide a faster support experience, which isn’t great considering it’s usually the more time-consuming route.
Our experience with support was rough. We contacted McAfee over live chat about where we could find True Key’s white paper. Our first attempt went to an agent who didn’t handle True Key, despite us clarifying that in our ticket request.
We were connected to support quickly, but after being transferred to another agent and waiting on a manager’s approval, it became clear that our support experience would be anything but. We stayed on the live chat line for nearly an hour, often waiting five or so minutes between responses.
At the end of that mess, we were pointed toward unhelpful knowledgebase reference numbers. We had to Google the reference numbers to find the articles our support representative was talking about, each of which provided little to no additional information.
Your best option, and our favorite one, is the forum. McAfee has a dedicated True Key forum that’s filled with people posting issues they’ve had with it. Thankfully, community members seem quick to respond.
Like the rest of the service, support feels like a small addition to the rest of McAfee’s lineup. Between the limited knowledgebase entries and confusing direct support route, True Key offers mediocre support at best.
True Key offers many authentication options, but not much else. The features are limited, the support is subpar and the ease of use has problems. The low price may be enticing, but there are better options for around the same rate.
It’s not without value, though. True Key’s snappy instant login, streamlined interface and no-nonsense pricing model make it a great choice for those who aren’t too hot on tech. It stores passwords, credit cards and more, and makes it easy to sync that data between your devices.
If you need more bells and whistles or even just want basic features, such as password sharing, you’re better off reading our other password manager reviews.
What do you think of True Key? Let us know in the comments below and, as always, thanks for reading.