passQi provides a single identity experience by storing your usernames and passwords securely in your phone, and automatically logging you in to sites simply by pressing a link in the bookmarks bar of your browser.
The first time you do this in your browser session, a QR code is displayed. Scanning this with passQi establishes a secure link between the phone and the browser. (This is called “bridging” passQi to to the browser). Encrypted data packages containing your username and passwords can now be exchanged, and you only have to click the passQi bookmarklet anytime you want to login to a new site’s login page. passQi will securely retrieve the right password from your phone, and inject it into the login page. If passQi is suspended (in the background on your iOS device), an alert will be displayed prompting you to OK the login action. On iOS 8 system, you simply need to “swipe down” the alert banner, and tap “OK” to complete login, without launching the app itself.
passQi is a new model in password management, and has many features. Please take the time to review the help pages. Also visit passqi.wpengine.com and check out the available videos.
To bridge passQi to a browser session, you will need to first drag the passQi bookmarklet to your browser’s bookmark bar. Get the bookmarklet at passqi.wpengine.com. passQi supports all modern browsers, as well as mobile Safari on your iOS Device running iOS 8 or higher; mobile Safari does not require configuration but rather uses an extension accessed by the share icon.
From any login page, click the passQi bookmarklet after you have copied it to your browser; if the app has not previously been bridged, a QR (Quick Response) code will be displayed, like this:
Point the phone’s camera at it while viewing it in the app’s scanner view; hold it 3-5 inches from screen, and tap the screen if needed to get into focus. In a second or two, the app will recognize the code.
It can work best if you bring it in closely to focus, then slowly pull out. Different iOS devices will have different optimal focus ranges.
If this is the first time the app has seen a site, it will either get page tag parameters from the cloud, infer the structure if it is a “typical” login page, or begin to load and analyze the login page. It’s looking for the site-specific page HTML tags for the username and password fields, which is a (somewhat) arbitrary function of how the page was coded by the designer.
Once passQi has the login page figured out, you can enter your username and password credentials, which will be encrypted and stored securely on your device.
passQi will proceed to log you in by relaying your username and password to the browser bookmarklet; and the next time you click the passQi bookmarklet (assuming you are bridged), you will be automatically logged in.
Note that each distinct login URL on a site needs to be individually recognized; different URLs for the same domain will be linked to the same username and password by default. Sometimes what looks like the same page can have a slightly different URL in the browser’s URL bar. You will be prompted to confirm each time a new URL is linked with the associated user.
There are three special kinds of pages or login sequences that passQi can recognize only when bridged, as they are pages that require the user to have already authenticated: these are password reset pages, two-page login pages (username on first page, password on second) and for passQi+, two-step verification pages that are presented after (rather than with) the username password page. If the most recently authenticated host or user corresponds to the current host or user, or passQi can otherwise infer that the current page is likely one of these types, it will prompt you to confirm. Scanning one of these types of pages out of the expected sequence will make it unable to properly recognize the page.
Once passQi is ready to send your username and password, it will ask if you want to simply log in once, or remain bridged.
By choosing the bridging option, you can exit the passQi application using the home button, and either leave your phone idle, or use other apps. passQi will respond to a confirmation alert the next time you click the bookmarklet on a new site’s login page. Swipe the alert banner down (on iOS 8) and tap “OK”; on iOS, simply tap the banner and passQi will launch to process the request. (The iOS 8 “action notifications” use the same type of interface as the iOS Messages app, which lets you reply to a message without actually launching the app.)
In order for Bridging to work, notifications need to be enabled for the passQi app.
If multiple users are associated with a given site in the Vault, then while bridged, the “last used” set will be assumed; to switch users, you must pause bridging (Tap “Options”) and tap on the desired “default user” in the site detail inside the Vault. Tapping on a username in a list of usernames will cause a target to appear next to the username, indicating it is the new default user. To add a new user while bridged, you can use the “Add” button at the bottom of the vault view. Be sure that you use the correct site hostname so that the new user will be correctly associated with the site when you bridge. Creating a new user automatically sets it as the new default user.
The usual behavior when the bookmark is clicked while bridged would be to simply relay the username and passwords, or if the app is in the background, prompt the user with a notification, and with iOS 8, the user only needs to swipe down the notification and tap OK to relay the username and password, without re-launching the app.
However, this default behavior assumes that you have already created an entry in the Vault for the particular site. If the site is not known or if entry of username and password is required, the required workflows will be triggered if the app is in the foreground. If the app is in the background, a notification will be displayed and if the app is launched, either by tapping the notification or from the home screen, the corresponding workflow (page recognition, password reset) will appear. If there is no user action, the bookmark will timeout and the the notification will be discarded.
You can end the bridged session simply be tapping the “Options” button on the “Bridged” screen that is displayed when the app is bridged. Future attempts to login by a user tapping the passQi bookmarklet in the browser will cause a failure message to be displayed, followed by presentation of a QR code (to re-establish bridging). You can also unbridge by clicking the”Unbridge” button on the bookmarklet control panel which appears whenever you click on the bookmarklet in your browser and a bridged session is active. Certain events will also trigger the bookmark to signal the end of the bridged session. If the passQi app is in the Vault when the bookmark is clicked, a “busy” signal will be sent, and the request discarded.
When the application recognizes a site and tries to use your existing credentials, and is presenting you with the PIN keyboard, you may tap the “Switch User” button instead, and either add another user, or switch to another user already in your vault (for that domain). The most recently used user becomes the current default next time the site is scanned. If Touch ID is enabled, tap the “Use PIN or Switch Users” option, and the PIN input with its ‘switch users’ button will display.
passQi usually operates on its notion of the “current active user” if there are multiple users for a domain. When you list users under a domain in the Vault, you will see a “target” to the left of the active user. To switch active user, tap the user you wish to make “active”; the next login will attempt to use this user. Opening a user’s password management page will also make it the active user.
The Vault is the secure area of your application, and your PIN (or Touch ID) is required to enter it. It contains your account passwords and settings.
Although you don’t usually need to reference the passwords in the Vault, you can view them and other settings by tapping the “Vault” button in the scanner view. (Or “Options” “Pause Bridging” if you are in bridged mode).
The Accounts view lists all of the domains whose accounts are known to the application; tap one, and you are given detail on the username and password credentials. Delete entries by swiping the row.
From the detail view, you can edit the password, if you want (eg if you make an error when first entering them, or have changed your password). You can also unlink specific URLs by swiping the item in the “Recognized URLs” table, which is displayed when you tap the arrow on the site home page graphic and flip it over.
If you have the passQi+ edition, the account view is where you will initiate the configuration of two-step verification for a site.
You can also type “add” to manually add a username and password for a site, rather than scan it first; if the domain name has been properly entered, it will be matched later if the site is scanned and recognized.
Devices with Touch ID will automatically use it for Vault authentication after the first PIN entry. You may alternatively use the PIN each time instead.
passQi can automate password reset, that is, synchronize password reset in the app with a password reset action on a target site’s password reset page in the settings. This is only available if you are bridged and (of course) logged in, that is, you must have previously authenticated with passQi to perform the password reset operation. Simply navigate to the site’s password reset page, and click the passQi bookmark; in most cases, if the page has a password reset form, and you are already logged in, passQi will infer that you wish to perform a password reset. When a password reset page is recognized, the app will prompt for a new password; it also has the option of generating a complex password — this is highly recommended as it is much more secure to have a complex password.
The passQi+ version of the product supports two-step verification, a form of two-factor authentication. It’s use is described here.
From the Vault, you can control Security options such as the number of failed PIN attempts, and other settings including setting a Passphrase — which will allow you to login to the Vault and access your passwords even if there is no network available.
PIN authentication always checks with the cloud to make sure that the application hasn’t been deactivated; this allows support for remote deletion of your password database.
See here for More about Settings
On iOS 8 devices, you can use passQi in mobile Safari in the same way as with a desktop or laptop browser, excepting you do not need to perform a QR scan. If you are using iOS 8, the bookmarklet is available as an extension; it is accessed using the “Share” icon in Safari, and enabled by tapping the “More” button and turning it on.
Once you are bridged, clicking the extension in the Safari browser will cause passQi to prompt you from the background and log you in, without leaving the browser. If you are unbridged, it will launch passQi; after completing the initial authentication, it will re-launch Safari. Usually it will return you to the page you were on, in some cases, another page may be on “top” and you need to simply navigate to the original page using Safari. Note that using the mobile browser will automatically unbridge you from a desktop browser session.
Note that in order to use bridging with the passQi bookmark, you need to have “Allow from websites I visit”(and be sure to visit www passqi.com at least once from your mobile Safari browser).
If you are running passQi on iOS 8 version or greater, a “smart Clip” feature is available which can be used to easily copy username and password information from your Vault into your clipboard so they can be used to login to mobile apps. By tapping the paper clip icon in the Vault listing, and exiting the app, you can launch an app needing a username and password, and the username will have been copied in to the clipboard to be used to paste into the username field of the app login. In a few seconds, an “active alert” will pop up, and if you swipe it down, there will be an option to next copy the password and/or the two-step verification code into the clipboard. If the app has a two-step verification code enabled (configured on the app’s web site), you will also have this pop us a few seconds after the first notification.
passQi will always perform a check with the passQi cloud services to determine if your iOS device is still active. At registration (provided you have registered with your phone number), keys are created which can identify your phone if you re-enter your phone number and PIN on the passqi.com site or call 678-2LOCKUP (678 256 2587). When you enter the phone number and PIN, the keys are regenerated and a flag is set which signals the phone to erase its password database. A network check is carried out whenever a secure operation (entering the Vault, performing login) is performed.
Note that for this reason,
if network services are unavailable, PIN login or Touch ID will not be supported. In this case, the Vault may be opened even if network services are unavailable if you have previously created a passphrase, a much more secure method for local authentication. Creating a passphrase is also necessary to create backups.
passQi will recognize any web URL QR code, and launch Safari. It also recognizes other standard protocols such as sms: and mailto: and will launch the appropriate application on your iOS device.
Bridging requires the use of Remote Push Notifications, an iOS feature which requires user permission to enable. In the registration flow, you were prompted to approve the notifications alert which is presented by the iOS system. If a user chooses to decline this when presented by the system, iOS will not re-prompt, and the system will not allow subsequent enablement. Rather than trigger the system permission dialog, the passQi configuration flow allows a user who prefers to opt out of receiving notifications to “defer” the permission dialog. (This disables the bridging feature and will require the user to scan a QR code for each login.) If Notifications approval has been deferred, it can be subsequently activated by re-entering the configuration flow by first tapping Help from the main screen, and then tapping “Intro” in the upper right Navigation bar. This will re-present the option of approving Navigation. If Notifications have been declined at the system level, it may be that you can only cause it to be re-triggered if you “trick” the system by deleting the app (after backup), manually changing the date to something in the future, restarting the system, and then re-installing.
See Settings Help for more on creating a passphrase and backing up your passwords to Dropbox.
See Detect Login Help for more on how passQi identifies login elements of pages that are unknown to the cloud database.