Hi @Grunt Futuk,
Thanks for your feedback.
We agree with you that a security-audit plays an important role for a password manager application, and we have planned one very soon down the line with the release of some exciting features.
To protect the integrity and sanctity of source code, its access is restricted and controlled by Gitlab. Not everyone can push any code in the production branch directly. Every merge request, comprising changes is closely reviewed to keep a check on bad practices and malicious activities. The critical security module is additionally reviewed by the senior team and CTO itself for security.
From the architecture ground, let me assure you that codebase is fully modularized. GUI specific code doesn't perform any cryptographic operations and acts as a client of our core-module which performs all the security-related operations and consists of various parts i.e. database, cryptography-module, network, etc. Our cryptography module is based on open-source SQlCipher and has not changed a bit from the last audit, even after the addition of the subscription model. The core-module is written in c++ and is shared by all platforms.
The request to add the second factor in authentication is something that is not required for Enpass because of its offline nature. Since the data is not saved on our servers, there is no requirement of the second factor for its release. However, the users who store their data on their cloud accounts (iCloud, Google Drive, OneDrive, Dropbox, Box and WebDAV), usually enable 2FA on their cloud-accounts, protecting them from unauthorized downloading of Enpass data on other, unauthorized devices. Also, the users who want to add an additional layer with the master password can use a KeyFile which is required for unlocking Enpass.
We understand your concerns and always take them very seriously. Feedback of our beloved users is what keeps us motivated to make Enpass better every day.
Thanks!