Everything posted by Solomon
While I know the audit page has been contentious, I see the value of it. What I feel is lacking is features within that to do things with the information that's not manual. A prime example is identical passwords: sometimes this is because there's just duplicate entries (maybe you accidentally saved the app and website separate? maybe two different websites use the same login system, etc). It'd be great to have a merge option (wherever a field differs, copy it over as a new field), a suggested auto-merge button could be nice too (for entries where the only difference is that one has some additional fields over the other. Like one includes username & email while the other just has username) I would also love an option to scan for outdated unnecessary entries. I have a lot of entries in my password database for sites that I'm pretty sure don't even exist any more. It'd be nice to be able to click a button and have it just check the site urls to see if they're even alive anymore (this could pretty easily incorporate with the feature for downloading website favicons). Though, I would recommend a feature as well to test for ISP intercepts of bad domains (either by using a check against a known unknown domain, like a fake subdomain of enpass.io, or by using dns-over-https, but obviously the latter would require more work) Lastly, I was wondering if maybe when catching password updates it could potentially have an option to save the URL as a password change URL? This could be used in conjunction with auditing to have a quick password change button (visit site, auto-populate old password fields, auto generate a new password to put in)
I just wanted to chime in as a technically savvy user to note that fingerprint reading is in mobile using simple secure apis while desktop platforms don't have such. On iPhone and Android the biometrics API doesn't just read your fingerprint, it's connected to a secure crypto chip (slightly oversimplified terminology for those more familiar), this chip processes the finger prints and unlocks crypto keys when they match. The chip itself is designed to never directly unlock crypto keys otherwise and to even be tamper resistant (ie. if someone tries to physically access the chip it wipes itself). However, on desktop environments the fingerprint readers largely just read fingerprints. While this can verify your identity, a fingerprint alone can not be used for encryption. You pretty much have 2 ways about this on desktop environments: * Dedicated security hardware (a reader that's set up like the mobile readers) * You have to store the database key unencrypted (or effectively unencrypted) A good relatively easy middle ground might be to make a feature for Enpass to unlock via only a keyfile? Doing this you could use a biometric usb drive (they don't act as a fingerprint reader for the computer usually and instead use a reader to enable access to the drive contents)
I don't believe they're talking about unlocking desktop applications with Enpass. To hopefully clarify, I believe they're asking to be able to unlock the desktop version of Enpass with the mobile version. An example flow: * Open desktop enpass * Open mobile enpass * unlock mobile enpass with biometrics * mobile enpass then prompts to unlock desktop enpass This is certainly do-able, but is not exactly trivial and is full of major potential security vulnerabilities. The big issues: * The two versions would have to find eachother in some way, this means likely setting up a whole network discovery system, just to identify that both are on the network. * This can create privacy concerns as the applications are now advertising themselves over the network * When unlocking this way, this requires sending the encryption key over the network between the devices. There's no way to avoid this as the desktop does not have a safe place to store the encryption key like the phone does. There's a lot of possibilities for this method to be used to compromise the encryption of your password database (it will a lot of work and oversight to maintain this function securely).