SAN FRANCISCO — A yellow booth with a screen caught my attention on a recent grocery trip. A blue ring on the contraption glowed, luring me toward it.
This was no lottery ticket machine — it was a kiosk for duplicating keys from a company called KeyMe. And it was for copying not just ordinary keys but also special ones, including digital access cards and the high-security Medeco key that I use to get into my apartment building.
My apartment complex typically charges $100 for a copy of this key, which is an advanced physical key that is difficult to reproduce. KeyMe offered to mail a duplicate to me for about $10. So I tried it.
I immediately felt regret. Did I just compromise my building security by sharing the key with a private company? If KeyMe were hacked, couldn’t someone break in to my home?
This is a question people may increasingly wrestle with as KeyMe and similar services like MinuteKey and My Key Machine grow quickly. KeyMe has kiosks in 2,000 stores across 46 states for retailers like Safeway, Bed Bath & Beyond and 7-Eleven, and the company said the number was rising. KeyMe also offers a mobile app that lets you take a photo of a key and store the data on its servers. That means if you are locked out, you can simply go to a kiosk, log in to your account and quickly cut a duplicate key.
I decided to take a closer look at KeyMe, a company founded in 2012 and based in Manhattan. Deviant Ollam, a security consultant who gives lectures about lock-picking at Defcon, the hacker convention, also provided an assessment of the company’s security practices.
Mr. Ollam had concerns. Chief among them: the ability of an abusive ex to use KeyMe to break into a former partner’s home.
“The idea of intimate jealous partners having access to people’s online accounts is very well known — but possibly not among smart male technologists,” he said.
In the end, I recommend against using KeyMe’s app or creating a user account to use the service. But I was happy to make copies from the kiosk. Here’s what I found.
How KeyMe works
To help you find a nearby KeyMe kiosk, the company provides a locator tool. At a kiosk, the screen presents options for key types to copy, including standard house keys, special security keys, vehicle keys, and access cards and fobs. After selecting an option, insert a key into a slot and let the kiosk scan it; for access cards, tap the card on a scanner.
If you copy an ordinary house key, you can cut the key directly at the machine. For more specialized types, the machine will most likely say that the keys need to be programmed elsewhere and be mailed to you. Prices vary: A standard key costs about $3, an access card costs about $12.50, and a car key starts at $20.
After you make or order a copy, you can create an account and store the key data with the company. That requires registering a fingerprint.
To set up the mobile app, enter an email address and create a password. Inside the app, you can take a photo of a key by placing it on a white sheet of paper and taking a photo of each side of the key. Then it can determine whether the photo is good enough for you to cut a copy of the key at a kiosk or whether it has to be mailed to you.
Tough security, but with flaws
More important than how KeyMe works is how the company protects your data.
KeyMe says it retains as little identifiable data as possible. The company immediately purges a customer’s name and mailing address after it ships off a key order, it said. It does keep a customer’s email address and key data, and if someone registers a fingerprint, it keeps a mathematical representation of the fingerprint.
To defend against cyberattacks, KeyMe said, it divides up pieces of user data and stores them across three different places. That means hackers would have to break into all three systems to obtain the information.
Greg Marsh, KeyMe’s chief executive, said the company was able to hold criminals accountable. That’s because unlike traditional locksmith companies or key copiers at hardware stores, KeyMe has an information trail on what keys were produced and by whom. In the event of a crime, the police could check whether a key was duplicated with KeyMe and track down who had copied it.
“We’re the only company that exists where if law enforcement has a key in question, we can actively say whether we have a key or not,” Mr. Marsh said. “Part of our mission is to build proactive relationships with law enforcement.”
That raised a red flag for Mr. Ollam, the lock-picking expert. He wondered how difficult KeyMe would make it for law enforcement authorities to gain access to user data — for instance, whether it would require subpoenas for all requests or just a casual note.
Mr. Marsh said KeyMe had not been involved in any instances where it copied a key that was involved in a crime. So the company has not handed over user data to the authorities and has not devised a regimented procedure.
“But we would never just turn over customer information to a third party, including law enforcement, without very prudent and thoughtful measures,” he said.
I asked Mr. Marsh why he did not commit to a clear procedure now to give customers confidence. He said that crimes varied and that the nature of an investigation would determine how a customer’s data would be shared.
Mr. Ollam brought up the hypothetical situation of an abusive ex, who gains access to his or her former partner’s email account. In that case, the person could reset the KeyMe password, log in to the app and have a key copy mailed over.
In response, KeyMe said that people trying to gain access to their key data at a kiosk would be required to scan a fingerprint before a duplicate could be reproduced. Mr. Marsh acknowledged that someone could get into an email account and reset a KeyMe password, but said the same vulnerability applied to many types of internet accounts that rely on passwords.
I noted that plenty of websites offered two-step authentication. That involves sending a temporary code to another device, like a cellphone, which must be entered before someone can log in with a password. KeyMe lacks this feature.
Mr. Marsh said KeyMe had discussed enacting two-step authentication. But given that KeyMe tries to retain a bare minimum of user data, the feature would be complex to incorporate, he said.
And the test results …
Because of KeyMe’s vague responses about cooperating with law enforcement and the password-reset vulnerability with the app, I do not recommend using the app or creating a user account for the service.
But if you simply want to make or order a key copy at the kiosk, the service is useful, especially for key types that you can’t typically duplicate at a hardware store.
In addition to my Medeco key, I tried copying a few standard house keys and an access card. The machine took a few minutes to cut the house keys, which worked well. For the access card, I opted to copy the data onto a small sticker that could be adhered to my phone case. The sticker copy arrived in the mailbox after about three days, and it worked perfectly.
But the duplicate of the special Medeco key failed to turn the lock for my building gate. Mr. Marsh said this key was so tricky that KeyMe’s machine-learning software and a human check had failed to reproduce it correctly. The company has decided to stop supporting my specific key.
On one hand, I was disappointed. On the other hand, it was a relief that the key was too tough to copy. Convenience is not everything, especially when it comes to making sure your home security stays as strong as possible.
Orignially published in NYT.