HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

LogMeOnce Review

Our LogMeOnce review shows that, although this technologically advanced password manager has plenty of features, it is likely not suitable for HIPAA Covered Entities. Additionally, although some users will appreciate the novelty of passwordless login, the steep learning curve and the potential issues this may cause means LogMeOnce will not be suitable for many other types of businesses.

If password managers were assessed on the length of their lists of features, LogMeOnce would be the industry leader. However, on closer inspection, many of the listed features are duplicated in the same list, some appear as “features” and also as “additional features”, and then you find out that you have to pay extra for “additional features” that are provided as standard by other vendors.

Admittedly, some features are unique to LogMeOnce or are rarely seen in commercial packages. Indeed, it unusual to see features such as scheduled logins and policy engines in individual plans, while geofencing (available in the Enterprise “Identity” plan) is a feature that all password managers should adopt to mitigate the risk of account takeovers from remote sources.

However, rather than focus on the most useful features, LogMeOnce focuses on the password manager´s passwordless capabilities (biometrics, QR code, selfie, face ID, etc.) as if it was the only password manager offering such capabilities. It´s not. Many password managers now support FIDO standards for passwordless login – including market leaders Bitwarden, Dashlane, and 1Password.

A Brief Note about Passwordless Login

Passwordless login can be a frictionless alternative to usernames and passwords that enhances productivity. However, the effectiveness of passwordless login is dependent on a number of factors. For example, if using a selfie login, the lighting of the environment in which the user is trying to login can affect the login success rate if the authenticating image was captured in a different location.

It can also the case that – for users with limited technical skills – passwordless login has a steep learning curve that can involve changing website settings and uploading and configuring software. For users unfamiliar with using hardware to verify their identities, there may also be trust issues with the login process – prompting users to revert to less productive (and less secure) login options.

Finally, in the context of our LogMeOnce review, it is also important to be aware that LogMeOnce´s passwordless login features only work on the password manager itself and any other website that has adopted FIDO standards. Not a lot of websites have. Therefore, you will have to continue using usernames and passwords for some accounts regardless of which password manager you adopt.

LogMeOnce for Individuals and Families

LogMeOnce offers a choice of three plans for individuals plus a family plan. The individual plans consist of a fairly decent free plan and two paid-for plans with varying degrees of functionality; while the family plan is a top-of-the-range “Ultimate” plan for up to six members of the same family managed by a family dashboard. The three paid-for plans offer good value-for-money.

All four plans allow users to save an unlimited number of passwords across an unlimited number of devices, with automatic sync between devices. All plan users have access to a password generator, password strength checker, and password policy engine (which stipulates minimum requirements for new passwords). The range of passwordless options and 2FA options increases with each plan.

Individual and Family Plans  LogMeOnce Password Manager
Free Professional Ultimate Family
Nº of Users 1 1 1 < 6
File Storage 1MB 1GB 10GB 10GB
Secure Notes < 3 < 50 Unlimited Unlimited
Password Sharing < 5 < 50 Unlimited Unlimited
Credit Card Storage < 3 Unlimited Unlimited Unlimited
SMS/Voice Credits None 10 30 None
Emergency Access No Yes Yes Yes
Login Audit No Yes Yes Yes
Remote Logout No No Yes Yes
Scheduled Login No No Yes Yes
Support Email Email Email/Chat Email/Chat
Price (August 2022)  Free $30 / Year $39 / year $60 / year

There are a couple of issues we unearthed for this LogMeOnce review. The free plan is full of ads (if you don´t like ads, choose Bitwarden´s free plan) and LogMeOnce charges you for receiving 2FA codes by SMS (2 credits) or voice call (4 credits). You can buy additional credits for $10 per 1,000 credits, or – better still – use a different 2FA method. Also, Dark Web Monitoring, which is provided free of charge by some vendors, costs an additional $20 per year ($40 per year for family plans).

LogMeOnce for Teams and Businesses

The LogMeOnce Teams plan is effectively a family plan for more users that allows businesses to brand the user interface with their name and logo. With regards to how many users, LogMeOnce claims in the pricing page FAQs that the Teams plan “will work for every company, of every size”; but when you try to register for it, you are advised that the maximum number of seats allowed is 25.

A few other issues we noted in the compilation of this LogMeOnce review is that the Teams plan doesn´t support RBACs nor provide users with secure storage (for documents, images, etc.). For these capabilities, you need to upgrade to the Enterprise Plan; and, if you also require Dark Web Monitoring, you either have to purchase an add-on or upgrade to the “Identity” Plan.

Teams and Business Plans LogMeOnce Password Manager
Teams Enterprise Identity
Nº of Users < 25 Unlimited Unlimited
File Storage No 1GB 1GB
SSO & SAML 2.0 Yes Yes Yes
Group Management Yes Yes Yes
Policy Engine Standard Advanced Advanced
RBACs No Yes Yes
AD Integration No Yes Yes
Activity Reporting Standard Advanced Advanced
Geofencing No No Yes
Dark Web Monitoring Add-On Add-On Yes
Support Priority Email Priority Email Priority Email
Price (per user)  $36 / year $48 / year $84 / year

The ways in which LogMeOnce places limitations on services in its cheaper plans to force businesses to subscribe to a more expensive option seem a little underhand. Furthermore, by forcing a business to pay extra for (say) RBACs, the business may be paying for services it will not use (i.e., nested folders) – or services it will have to train users on in order to use them and justify the higher cost.

LogMeOnce for HIPAA Covered Entities

As the purpose of our LogMeOnce review is to assess its suitability for HIPAA Covered Entities and Business Associates, we went through the feature list(s) and compared the capabilities of the LogMeOnce password manager against the HIPAA password requirements. With regards to being a password manager that can support HIPAA compliance, LogMeOnce passed every test.

However, LogMeOnce is not a HIPAA compliant password manager because it is not the software that determines compliance, but how the software is used. Due to the complexity of some LogMeOnce features, we feel it might be safer to disable them rather than give non tech-savvy users an opportunity to violate HIPAA or cause a data breach due to a lack of technical knowledge.

This issue is one that should be considered when conducting a risk assessment, along with the likelihood of users finding the interface too confusing and reverting to unsecure methods of using passwords. Importantly, the LogMeOnce password manager should not be used for sharing or disclosing Protected Health Information as LogMeOnce will not sign a Business Associate Agreement.

Password Managers and Business Associate Agreements

Some vendors claim that, because their password managers are built on zero knowledge architecture, they have no access to information stored in users´ vault (including Protected Health Information) and are therefore not required to sign a Business Associate Agreement. This is not true if you substitute “password manager” for “cloud service provider” in the following HHS FAQ.

The HHS states that, “Cloud service providers that provide services to a Covered Entity or Business Associate that involve creating, receiving, or maintaining Protected Health Information meet the definition of a Business Associate even if the cloud service provider cannot view the Protected Health Information because it is encrypted and the provider does not have the decryption key”.

Consequently, it is necessary for a vendor of a password manager to enter into a Business Associate Agreement if the Covered Entity or Business Associate is going to use the password manager to store, share, or disclose Protected Health Information through it. Even if that is not the intended use, an Agreement is still a good idea in case a member of the workforce takes it upon themselves to disclose Protected Health Information via the password manager´s secure sharing capabilities.

LogMeOnce Review Conclusion

In the compilation of this LogMeOnce review, we have had a look at what other reviewers think of this password manager, and many (non-affiliate) opinions align with our own inasmuch as LogMeOnce is secure, but complicated to use, it contains many features that you might pay for, but never use, and – rather unkindly – “is more smoke and mirrors than bells and whistles”.

While some tech-savvy individuals might be impressed with LogMeOnce (especially students, who qualify for a 50% discount), the password manager is more suitable to small technical teams rather than whole businesses. This is because of the steep learning curve for non tech-savvy users and the issues this may create in terms of training and security if settings or software are misconfigured.

For businesses subject to HIPAA, in addition to the above concerns – which may prompt users to adopt unsecure methods of using passwords – LogMeOnce is not a compliant solution through which to disclose Protected Health Information. This has nothing to do with the password manager´s capabilities, but rather the fact that company will not sign a Business Associate Agreement.