NEOKey
Offline-first authentication app

NEOKey

An offline-first Android authentication app that securely stores and manages secrets and generated passwords. All sensitive data is encrypted at rest and can be unlocked using biometrics or a master pincode.

Explore the project Open prototype (Figma) View source code
Team
Timon Schneider - cc241026
Maxim Pollák - cc241059
Platform
Android (Kotlin, Jetpack Compose)
Core promise
Fast access + strong local encryption (offline-first)

App concept

What NEOKey is, who it’s for, and how it works.

Brief description

NEOKey is an offline-first Android authentication app that securely stores and manages secrets and generated passwords. All sensitive data is encrypted at rest and can be unlocked using biometrics or a master pincode.

Goal

Provide a fast, simple, and secure way to store and use authentication codes and passwords without requiring internet access, while keeping sensitive data encrypted and protected by biometric unlock and a master pincode.

Use case

A user wants to:

  • store multiple authentication entries (e.g., services, accounts, shared secrets, passwords)
  • organize them in categories
  • quickly reveal/hide codes when needed
  • generate strong passwords inside the app
  • (Nice-to-Have) share passwords with others

Target users

  • Students and everyday users who manage many accounts and want a secure offline solution
  • Security-conscious users who prefer local storage and encryption
  • Users who want quick access with biometric unlock (fingerprint/face)
  • Users who want the option to share passwords securely

Core features

  • Full CRUD (Create / Read / Update / Delete) encrypted entries
  • Local SQLite database (Room)
  • Jetpack Compose UI (no XML)
  • Reveal / hide stored codes
  • Built-in secure password generator
  • Password strength meter (weak → medium → strong)
  • Offline-first design (no internet required)
  • Biometric unlock (fingerprint / face)
  • Encryption & decryption
  • Categories for organization

Tech stack

  • Kotlin
  • Jetpack Compose
  • Room (SQLite)
  • Offline-first architecture
  • Encryption layer (e.g., Android Keystore + encrypted data)

Hi-Fi Prototype (User Flow)

Key steps of the flow paired with the corresponding hi-fi screens.

Unlock screen (biometric + PIN fallback)
App Launch → Unlock
  • Biometric authentication (fingerprint/face)
  • Fallback PIN/password if biometrics fail
Entries list screen
Home – Entries List
  • Service/label + category
  • Quick actions: reveal/hide, search, filter, add new entry
Entry details screen with reveal and copy actions
Entry Details
  • Label, username (optional), secret/code (hidden by default), strength indicator, notes
  • Actions: reveal/hide, copy, edit, delete
Add / Edit wizard step 1
Add / Edit Entry (Wizard Form)
  • Step-by-step wizard
  • Fields: label/service, secret/code, category, notes (optional)
Wizard step 2 Wizard step 3 Wizard step 4
Prototype link
Open the Hi-Fi prototype on Figma

Usability test plan

Summative evaluation plan + earlier heuristic/formative findings.

1. Introduction

  • Formative user testing and expert-based heuristic evaluation conducted early in development.
  • Findings used to iteratively improve NeoKey.
  • This summative test evaluates the final implemented version and validates whether improvements were successful.
  • Assesses effectiveness, efficiency, and user satisfaction.

2. System overview

System name
NeoKey
Version / state
Hi-fi prototype (heuristic evaluation)
Fully implemented Android app (summative test) with CRUD + encrypted local storage
Description
Offline-first password manager to securely store, view, edit, and delete credentials. Unlock via biometrics or master PIN.
Target users
Students/everyday users • Security-conscious offline users • Users valuing quick biometric access

3. Heuristic evaluation

Method

Nielsen’s 10 Usability Heuristics.

Evaluators

  • Maxim Pollák
  • Timon Schneider

Procedure

  • Independent reviews while performing representative tasks
  • Issues mapped to heuristics + severity rating
  • Consolidated into final issue list

Nielsen’s 10 heuristics

  1. Visibility of system status
  2. Match between system and the real world
  3. User control and freedom
  4. Consistency and standards
  5. Error prevention
  6. Recognition rather than recall
  7. Flexibility and efficiency of use
  8. Aesthetic and minimalist design
  9. Help users recognize, diagnose, recover from errors
  10. Help and documentation

Identified issues (summary)

Problem description Heuristic Severity
Create a new password entry using a multi-step wizard without confusion or errors H1 2
Create a new password entry using a multi-step wizard without confusion or errors H5 2
Locate an existing entry using navigation, search, and filters efficiently H6 4
Locate an existing entry using navigation, search, and filters efficiently H7 3
Edit and delete entries, especially irreversible actions H3 2
Edit and delete entries, especially irreversible actions H5 3
Measure perceived usability, confidence, and satisfaction after tasks H4 2
Measure perceived usability, confidence, and satisfaction after tasks H8 1
Severity scale: 1 Minor • 2 Low-impact • 3 Moderate • 4 Major • 5 Critical

Formative user testing results

  • Onboarding perceived as unnecessary/insufficiently welcoming; users preferred immediate biometric auth (maybe with short welcome).
  • Categories screen lacked search → extra navigation steps.
  • Editing redirected into full creation wizard → inefficient/confusing.
  • Long-press secret editing was not discoverable for all users.

Summary

Core functionality is generally usable with low-to-moderate issues. The most severe problems were in information retrieval (H6/H7). Entry creation and data management issues mainly affected feedback clarity and error prevention. Visual design issues were minor.

4. Research goals

Overall

Evaluate whether NeoKey enables users to manage passwords effectively, efficiently, and with high satisfaction.

Specific objectives

  • Evaluate entry creation using the multi-step wizard
  • Measure how efficiently users can find existing entries
  • Assess usability of editing and deleting entries
  • Measure overall perceived usability and confidence

5. Hypotheses

H1 - Entry creation: Users can create an entry without major errors.
H2 - Information retrieval: Users can locate an existing entry efficiently.
H3 - Password visibility: Users understand reveal and trust the interaction.
H4 - Copying passwords: Users understand copying vs revealing + clipboard behavior.

6. Variables & data collection

Dependent variables

  • Task completion rate
  • Task completion time
  • Error rate
  • User satisfaction / perceived usability

Data types

  • Quantitative: time on task, success/failure, questionnaire scores
  • Qualitative: think-aloud, observations, post-test feedback

7. Method + procedure

  • Evaluation type: Summative usability test (final version after formative improvements)
  • Setting: Controlled environment (classroom / supervised)
  • Participants: 8 - 10 participants, general smartphone experience, no prior NeoKey knowledge
  • Instruments: Task success/time/errors + Think-aloud; SEQ after tasks; SUS post-study
  • Procedure: Consent → Short intro → Tasks → SEQ each → SUS → Interview/debrief
  • Expected outcomes: Most tasks completed successfully; retrieval may need minor refinement; high satisfaction/confidence expected

Development documentation

Implementation timeline (12.1.2026 → 19.1.2026) + commits.

Timeline of implementation progress
12.1.2026
Base + database redesign
  • Adopted an existing project codebase as the CCL3 foundation.
  • Rebuilt the database to match the app design.
  • Adjusted the schema after realizing the first design wasn’t optimal (see ERD).
13.1.2026
Domain layer + utilities + first screens
  • Implemented domain layer and shared utilities.
  • Integrated biometric utilities.
  • Started UI: SecretsScreen and SecretDetailScreen.
14.1.2026
Security upgrades + finishing screens + stress testing
  • Reviewed security and fixed potential issues (hardening the app).
  • Completed remaining screens.
  • Stress tests with tutors revealed bugs (e.g., back button spamming causing invalid screens).
15.1.2026
User test plan + recovery day
  • Discussed the user test plan and scenarios.
  • Lower-intensity day after the first implementation sprint.
16.1.2026
Bug fixing + formative user tests
  • Fixed discovered bugs and polished edge cases.
  • Ran setup and conducted the three formative user tests.
  • Implemented small changes based on feedback.
19.1.2026
Continued user testing
  • Completed additional user tests with the selected participants.
  • Collected and summarized feedback for final refinements.
  • Implemented feedback - started with summative user testing.
20.1.2026
Summative User testing + Interpretation of Test Results
  • Conducted 10 User tests and started with the interpretation.
Commits
View commit history on GitHub

Database design (ERD)

Entity Relationship Diagram of the local Room/SQLite database. Sensitive columns are stored encrypted at rest.

NeoKey ERD (Secrets table)
  • Table: Secret
  • Primary key: id
  • Encrypted at rest:account, password, note
  • Stored as plain (non-sensitive):title, category, createdAt

Download APK

Install the latest build of NEOKey directly on an Android device. (Offline-first • No account required)

Download NEOKey APK

Tested on Android 10+. You may need to allow installation from unknown sources.

Final reflections

Reflections from each team member regarding challenges, contributions, and future improvements.

Timon Schneider – Reflection

Challenges

  • Implementing encryption correctly while keeping the app performant.
  • Handling edge cases discovered during testing and debugging.
  • Integrating features / improvements from formative testing in a short time span
  • Figuring out the system's limitations during implementation (clipboard memory, sessions, etc..)

My contribution

  • Backend structure and data handling.
  • Implementation of Middleware for encryption/decryption and clipboard wipe.
  • Support in debugging, testing, and improving stability.
  • Abstraction of code - outsourcing functions to be reusable
  • Contribution to usability testing, result evaluation and creation of graphs.

How the final app meets the initial concept

The final application closely follows the original idea of a secure, offline-first password manager. Core goals such as encrypted local storage, fast access via biometrics, and a clean user interface were fully achieved. The usability tests confirmed that users were able to complete tasks efficiently and with high confidence but leave room for improvement when it comes to specific features users wished for.

What could be improved further

  • System-level autofill integration for login fields.
  • More advanced password generator options.
  • Optional customization of the app-design.
  • Optionally could implement an option for syncing with other devices (e.g.: Password sharing or moving your passwords to a new device)

Maxim Pollák – Reflection

Challenges

  • Balancing strong security concepts with a simple and intuitive user experience.
  • Designing a secure and well-structured database schema for sensitive data.
  • Designing UI flows that remain understandable while handling sensitive actions such as revealing and editing secrets.
  • Ensuring consistency between prototype, implementation, and usability expectations.

My contribution

  • Design and implementation of large parts of the UI using Jetpack Compose.
  • Implementation of the Room database, encryption logic and middleware.
  • Structuring the user flow and interaction logic.
  • Supporting usability testing, evaluation, and interpretation of results.
  • Contributing to documentation and data visualization of results.

How the final app meets the initial concept

The final version successfully implements a secure offline-first authentication manager. The database design, encryption approach, and biometric authentication align well with the original concept and technical goals defined at the start of the project.

What could be improved further

  • Extended security options such as automatic lock timers.
  • Improved category customization and sorting.
  • More advanced export/import options for backups.
  • Some people asked for cloud sync - defeats the purpose of the offline principle

Documentation of usability test

Formative (n=3) → improvements → Summative (n=10) results.

Test rounds

We first conducted a formative test round with 3 participants to uncover usability issues and gather feedback for feature improvements and bug fixes. After implementing these changes, we conducted a second (summative) usability test with 10 participants.

Key improvements after formative testing

  • Category search: Added search on the Categories screen to reduce unnecessary navigation steps.
  • Onboarding flow: Reduced perceived “extra” screens by prioritizing direct biometric unlock (with optional welcome text).
  • Edit flow: Editing no longer routes users back into the full wizard, reducing time and confusion.
  • Discoverability: Improved discoverability of editing (previously hidden behind long-press).

Summative test demographics (n = 10)

  • Mean age: 24
  • Gender: 4 female, 6 male
  • Prior experience: Majority had used password managers/authenticators before
  • Technical confidence: All participants reported being technically very confident

SEQ (task difficulty, 1–5)

After each task, participants rated difficulty on a 1–5 scale where 1 = very difficult and 5 = very easy. Results showed that tasks were perceived as very easy and could be completed clearly without additional help.

Data visualizations

Visual comparison of formative vs. summative results (SEQ, SUS, and task completion time).

Average SEQ by task: Formative vs Summative
SEQ by task: Mean task ease (1–5) for formative vs summative.
Average task completion time: Formative vs Summative
Task completion time: Average time per task (seconds), formative vs summative.

SUS (System Usability Scale)

As a post-test measurement to assess perceived usability, participants filled out the System Usability Scale (SUS).

SUS scores: Formative vs Summative
SUS comparison: Distribution of SUS scores across formative and summative rounds.

Formative results (n = 3)

Even before improvements, SUS scores indicated excellent usability. The formative round achieved a mean SUS score of 92.5, while qualitative feedback highlighted missing features and UX friction points that were addressed before the summative test.

Summative results (n = 10)

After implementing changes, SUS results improved further. The summative round achieved a mean SUS score of 96.0, indicating outstanding usability. This is well above the commonly used benchmark of 68.

Summary of summative findings

In addition to the high SUS score, qualitative feedback from the think-aloud protocol and the short post-test interview revealed several points worth acknowledging:

  • Autofill: The most common critique was the lack of autofill, especially compared to established password managers. This impacts real-world efficiency because users must manually switch apps and copy secrets.
  • Category customization: Users requested customizable categories and the ability to rearrange the Categories screen. This would support personalization and faster access for frequently used items.
  • Password generator options: While the generator worked reliably, multiple users requested direct control over password length. This would improve perceived control and flexibility.
  • Password entry visibility: Two users mentioned that while typing, only the last 2–3 characters should be visible briefly (common pattern in many apps). This helps reduce typing errors while maintaining privacy.