The introduction of Quick Unlock by TouchID is a huge step forward for the usability of Enpass. However, in my opinion the promised perfect balance between convenience and security is still unmet due to the lack of a critical part: TouchID timeout.
TouchID is not 100% secure as demontrated by security researchers who were e. g. able to replicate working fingerprints for TouchID. The logical consequence would be to disable TouchID in Enpass completely. However, this would not only eliminate the convenience benefit but also increase the risk of shoulder surfing.
The solution is an adjustable timeout deciding whether TouchID will unlock Enpass or if the master password is required. In my current password manager*, I set it to one hour which is the perfect security/convenience tradeoff in my use cases.
Patrick
* TouchID timeout ist the missing feature that kept me fromswitching to Enpass.
