Damasta

Since Enpass doesn't seem to support Biometrics to sign-in when it's installed in an Android Work Profile, we tried using a PIN instead.

Despite that, Enpass still requires the masterpassword each time we try to sign in to Enpass in Android work profile.

How can we allow convenient and yet secure sign-in to Enpass in Android Work Profiles?

Anyone?

Hi Team,

for security reasons, we enforce access to our M365 SharePoint only from compliant devices. On Android, that means the app accessing SharePoint needs to be within the Android Enterprise Work Profile.

However, when Enpass is installed within in the work profile, it doesn't recognize that Biometric sign-in is configured for the device and refuses to enable it. PIN is the only way to enable convenient sign-in.

Is that a bug in Enpass or a "feature" of Android Enterprise work profile? 

On 2/27/2023 at 9:02 AM, Jameswalter said:

To turn on Windows Hello
Go to Start > Settings > Accounts > Sign-in options.
Select the Windows Hello method that you want to set up,
Select Set up.
 

Thanks James.

No offence, but I've been using Windows Hello Since Windows 10 launched back in 2015. I know how to turn it on and use it.

But obviously, Enpass does NOT. While all other apps and services happily use Windows Hello on all my devices, Enpass appears to be the only one that arbitrarily decides to stop using it - locking unsuspecting, non-technical users out of their most important assets: their digital access methods.

And judging by Abishek's responses it seems to be "by design". That is, apologies for the ranting and venting, stupid. Every security expert will tell you these days that invalidating access periodically (reasons are irrelevant) and forcing users to re-new or re-configure their access is a security RISK. Because it encourages users to (re-)use simple, easy to remember passwords instead of complex passwords that they can set and forget. Or better yet, not use passwords at all any more.

From a professional as well as a noob standpoint, this user experience is wrong and rotten. I am evaluating other products for friends and family and myself of course as we speak.

3 hours ago, Abhishek Dewan said:

Hi @Damasta

I can certainly understand your disappointment in this matter.

Due to the nature of Enpass being an offline password manager, it is important to create a strong but memorable password that you do not store anywhere that it could be discovered. Enpass cannot recover lost or forgotten Master Passwords. All your data is under your exclusive control. If your Master Password is lost, Enpass should be reset so you can start over as a new user.

Although we provide our users with the advantage of accessing the app through various means like PIN/Face ID/biometrics, we strongly recommend remembering your master password and keeping it safe. Having said that, I have duly noted your comments for future consideration.

Abishek, thanks again.

"Offline" is ... an interesting point of view. After all, Enpass supports various cloud and network storage locations for vaults.

Also, if my data is under my exclusive control, then do not meddle in the authentication mechanisms I choose for my data. Turning off biometrics without warning, user consent or any recourse is highly disruptive to say the least, and ultra-destructive in the worst case.
Do you realize this is like my bank removing access to my money and other valuable property without my consent?

The moment I switch my authentication of choice to the OS' biometric MFA framework (based on your advertised functionality), the master password became obsolete. With Enpass unilaterally reverting that choice, you have blocked access to valuable (potentially vital!) data. Selecting my authentication method to my data should not be Enpass' choice, it should be mine.

No place in your documentation, guides, FAQ or even this forum seem to indicate that Windows Hello simply turns off ever so often. Your claim above "For security purposes, Enpass may occasionally prompt you to enter your master password or in certain situations, like after unsuccessful verification attempts via Face ID/biometrics/Windows Hello." is undocumented. Hence, you took a supported feature away.

But regardless, that is beside the point. I am NOT asking to recover the master password.

I AM asking to force-enable Windows Hello again which worked fine - until Enpass turned it off for no reason and without my consent.

Enpass claims to support Windows Hello - please do so at this time and restore Enpass' advertised (and my paid for) ability to use Windows Hello.

Please don't force me to post this circumstance to Google Play and MS Store reviews. But I will, as Enpass currently seems to be a positive danger to use. I will also switch my own keystore to something I can rely on 100% and stop recommending Enpass to clients, friends and family.

7 hours ago, Jameswalter said:

Remove PIN on Windows 10
Open Settings on Windows 10.
Click on Accounts.
Click on Sign-in options.
Turn off the “Require Windows Hello sign-in for Microsoft accounts” toggle switch. 
Under the “Manage how your sign in to your device” section, select the “Windows Hello PIN” option.
Click the Remove button to remove the PIN on Windows 10.
Click the Remove button again.
Confirm the current password.
Click the OK button.

 

Regards,
James

Hi James, thanks for your suggestion.

However, I don't see how turning Windows Hello off will let us re-gain access to the app? We do not remember the master password, since, for a long time, it was not necessary. And users being human tend to forget stuff they don't use for a longer time.

My request was to force Windows Hello ON in Enpass, so we can authenticate using the established, trusted MFA of Windows Hello - not the unsafe, single-factor sign-in of Master Password.

Thanks for the disappointing answer. Please understand that we/I are frustrated that Enpass appears to make our life more difficult, not easier.

Here's why:

1. Enpass stopped accepting biometric sign in on ALL her devices - both Windows and Android. So we have no biometric recourse.

2. I understand the master password is gone, permanently. And no one on the planet can help us recover it. Which is why I didn't ask to recover the master password, I asked to restore biometric sign-in, which is already established on trusted devices and works fine for all other apps.

3. I am quite familiar with Windows Hello. AFAIK, it does not signal failed sign-in attempts to the requesting service, only successful ones. Enpass can't know whether sign-in failed or not. Especially not on devices with Hello Face Recognition, where there is always a fall-back to the device PIN, making Hello sign-in 100% successful every time.

4.  Why does Enpass take it upon itself to determine whether a third-party (!) biometric security solution can be trusted? That should not be Enpass' concern - ever. 

5. Windows Hello is, by definition SAFER than Enpass Master Password. Device-based biometrics (on Android also) are, by definition, Multi-Factor, whereas the Master Password is single-factor. So by turning Biometric MFA off without user consent, you weaken security. Also without user consent.
Claiming that you are improving security by periodically requiring the master-password and defaulting to single-factor-auth. seems counter-intuitive.

Given this design flaw, I (as a paying user) request one of two things:

a.) Provide an unsupported private build (!) for me/us that has Windows Hello force-enabled. We will use this to re-gain access and set a new master-password. After that, we re-install a supported public build from the Store/Play.

b.) Change Enpass to NEVER disable biometric MFA without user consent. At the very least, provide a user-configurable option, which, by default, is set to NEVER disable biometric MFA, regardless of the circumstances. Make sure that when this update rolls out, it will automatically re-enable biometric sign-in wherever it was turned off.
Alternatively, move the vault-unlock sign-in into the app, so that we can start the app and access the settings without unlocking the vault. Require vault sign-in when the user wants to access their vault, not before the app starts. 

Hi all, I onboarded a non-technical friend to Enpass Windows and Android. She used Biometric sign-in for a while - until Enpass simply stopped offering to use Windows Hello and biometrics on Windows AND Android for no obvious reason.
(Why does that even happen?)

She always signs in to her device using biometrics, so she is authenticated and trusted. Also, her device is trusted. And Windows Hello is, by definition, MFA. So it should be significantly safer than the master password alone. How can we force Windows Hello unlock instead of Master-Password?

She can't remember the correct master password, so she's locked out of all of her accounts - unless she can use Windows Hello to get back in.

Thanks for any and all help!

Awesome - thanks, got it now with your direct link. FYI: I'm on build 22000.71 now and Enpass seems to be working again as expected.

Before anyone says anything... yes Windows 11 is still in preview. But General Availabiliy is not too far out, so Enpass might as well start working on bugs - just like Microsoft.

I'm on build 22000.65 right now, and Enpass stopped working. It would crash silently a second or two after showing the splash screen.

Naturally, I thought re-installing might help, so I uninstalled it. However, Enpass isn't available on the new Windows 11 Store - only the Edge Browser Extension is. So I'm stuck and can't even reproduce the bug anymore.

How can I help to make Enpass work on Windows 11?

(btw. every single other app works fine!)

Confirmed.

16 hours ago, Dianoga said:

I'm seeing this problem as well.

I think it's also happening on Windows

It is. I'm on 6.3.2 (592)

On 5/23/2019 at 3:40 PM, Dentonthebear said:

Do you mean that Enpass should not be sold through the Windows Store?

No, has nothing to do with the store. Store is fine, as far as I'm concerned. In fact, the store is my preferred app source - on any platform for a zillion reasons beyond the scope of this thread. AFAIK Enpass chose Qt as their app framework, whereas the previous version was a universal Windows app. Both were/are sold through the store. The version 5.x UWA supported Hello just fine, the newer release 6.x has been a nuisance since day 1.

Like clockwork, my Enpass keeps reverting back to light mode, after I set it to dark mode. Not entirely sure when/why this happens, but at least once a week. It's been this way since day 1. Please fix this!

On 4/27/2019 at 11:02 PM, Dentonthebear said:

From what I understand v6 is written on a completely different platform, so maybe Windows Hello is proving more difficult to integrate than it was in v5.

Indeed. Which means Enpass chose the wrong platform.

Why does Enpass keep reverting back to the light theme? I keep setting the dark theme, but every couple of days light theme comes back. Please stop messing with my settings.

@Vikram Dabas Vikram, I'm starting to get a horrible feeling... Why do you need the Master Password once at system startup and then never again? Your own explanation is more than cryptic about this: https://www.enpass.io/docs/security-whitepaper-enpass/quick_unlock.html

Your own logic, indeed the reason this app exists, is that passwords are evil. But you actually recommend typing the master password every time (!) you restart a device?! Oddly enough, you only recommend that for Desktops, not for phones. Strange, especially since Android's security track record is questionable at best.

Need I mention how easy it is, in these days of permanent video surveillance to record all the keystrokes to my keyboard? Or use keyloggers? Or curious passengers sitting next to me on the plane or train? There are reasons why Microsoft and Windows abolished passwords. You, on the other hand, force me to type one of my most important passwords every time I restart.

Windows Hello is an enterprise grade password-alternative that is totally invalidated by enpass.

Back to my original question: Why do you need my master password at startup? I'm going wager a bet:

1. System starts. Vault is encrypted. Because you haven't figured out how to use Windows Hello for vault decryption yet, you use my master password to decrypt the vault and keep it in temporary storage / RAM.

2. Then you use Hello only to unlock the UI, so the vault becomes human-readable.

3. Why would you need enpass to be running in the background all the time? Because when I disable auto-start, I need my master password ALL THE TIME. 

C'mon admit it, you keep my decrypted vault in RAM and use Hello only to unlock the UI.

Feel free to provide some conclusive documentation / evidence here to prove me wrong!

On 4/10/2019 at 2:01 PM, Vikram Dabas said:

Hi @Damasta

Unfortunately, we do not know of an ETA we can provide for you as there is a user interface issue in Windows Hello dialogue when used in Win32 apps. We are in talks with Microsoft Hello team regarding it, but there is no apparent fix soon. We thank you for your patience and understanding.

So you're telling me that it's Microsoft's fault that I need to use my Master Password once after restarting and never again thereafter? I'm sorry, but that sounds like the usual lame excuse people give when an app doesn't work: "it's Microsoft's / Windows' fault". It always is.

It isn't, It's your fault. You took an awesome product (Enpass V5 UWP) and broke it by abandoning UWP and moving to Qt. Too many long standing, loyal users all over the store and this forum are frustrated as he*l. New customers never knew Enpass V5 so they don't realize what was lost. You spent about a year in beta, so assuming you knew Hello didn't work with Qt, you went ahead with the platform anyway, knowing it was broken.

Most other leading password managers in the store don't seem to suffer from this problem. Oh, wait - most of them are universal! I forgot. And somehow, they also managed to build browser extensions too. And support other platforms.

C'mon … how hard can it be?

Still no real windows hello support... After 4.5 months... When is that coming? 

Still not working...

WHEN IS THIS FINALLY GOING TO WORK? It used to on V5 - why this regression on V6?

WHY DOES THIS STILL NOT WORK!? WHEN WILL YOU FINALLY FIX THIS?

Looks like this is a general problem of the app on ALL platforms. We have an almost identical thread on this over in the Windows forum that's been going on since January. But that confirms it's not an OS issue - this is either by design or something about the Qt wrapper Enpass uses is blocking this function. Either way - SUPER ANNOYING.

On 3/19/2019 at 7:13 PM, U2Coke said:

I don't want any 3rd party having any access to my data.

They don't. Anywhere. Because your vault is encrypted. You could post it on Facebook and no-one would be able to get inside.

On 1/7/2019 at 1:14 PM, Vinod Kumar said:

AHi all,

This feature is planned and you will see it in future update.

Thanks.

Ok, THREE MONTHS in and it still doesn't work! Do you have any idea HOW ANNOYING THIS IS? I normally really don't yell online, but Enpass is costing me time, nerves and resources.

WHEN, Vinod, WHEN?