Need a VPN or DNS for your device?Get ExpressVPN Now
One ExpressVPN account. All devices.Get Apps for Free
When you enable the biometric unlock feature, you can access your logins stored in ExpressVPN Keys without typing your primary password, making it easier for you to take control of your password security.
ExpressVPN Keys (ExpressVPN’s password manager) was built according to industry best practices for secure apps and cloud infrastructure, including conducting extensive threat models and security assessments. It has also been independently audited by cybersecurity experts (like Cure53) to ensure it delivers the highest standards in protecting your personal data.
ExpressVPN Keys cannot access your biometrics data
ExpressVPN Keys is only notified about whether the biometric authentication is successful or not by Android. It can neither access nor store any data associated with the enrolled biometrics.
Your primary password keeps your data protected
The biometric unlock feature does not replace your ExpressVPN Keys primary password or weaken the security of ExpressVPN Keys.
Even when the biometric unlock feature is enabled, your data stored in ExpressVPN Keys is always encrypted with your primary password and protected at all times by zero-knowledge encryption. Read more about the security of ExpressVPN Keys.
Biometrics and primary password security
When you enable the biometric unlock feature:
- An encryption key is generated by Android and held by Android Keystore.
- Your primary password is encrypted using that key; the encrypted version is securely stored and can only be accessed by the ExpressVPN app, but not any other apps or services.
- Upon successful biometric authentication, ExpressVPN Keys gets access to the encryption key held by Android Keystore and uses it to decrypt the primary password and unlock your logins stored in ExpressVPN Keys.
When you disable the biometric unlock feature:
The encryption key held by Android Keystore and the encrypted version of your primary password are deleted immediately.
When you sign out of or uninstall the ExpressVPN Android app:
Your primary password is removed from Android Keystore by ExpressVPN when you sign out of the app. When you uninstall the app, both the primary password and the encryption key are removed from Android Keystore.
When a new biometric is added to your Android device:
- The encryption key held by Android Keystore is invalidated and the encrypted version of your primary password is deleted.
- You will no longer be able to unlock ExpressVPN Keys with biometrics, until you enter your primary password again. This ensures your logins are safe even if someone is able to add their biometrics to your device without your consent.