Jump to content
Enpass Discussion Forum

Say Hello to "full-time Windows Hello" with Enpass Beta ver 6.5.0


Recommended Posts

Hey Enpassians!

We hope you are doing great and making the most of your time.

The latest Beta v6.5.0 for on Windows Store comes with the ever-awaited "full-time Windows Hello" support. You can enjoy continuing using Windows Hello even after the system or app restarts. Go ahead and put your bio-metrics to test with the new feature.

What's New:

·    One of the most requested features— "Full-time Windows Hello support" is here. Now you need not enter the master password after the system/app restart.

·    Added an option to delete the unnecessary fields from the saved web forms. Navigate to the 'Show Webform' on the detail page of the item.

Fixes:

·    Fixed an issue where some of OneDrive users were getting a password-mismatch error as "Password of data on OneDrive is required." Now fixed. Affected users first need to delete data from OneDrive (option to delete data is present while disconnecting the sync from the cloud).

·    Few of our users reported an error code 1208400 while syncing with OneDrive.

·    The issue where the order of the fields is getting shuffled for a custom template on syncing with other devices.

·    An issue where custom icons display as black.

·    Fixed an issue where the deleted items were visible under associated tags.

·    Squashed a bug with CSV importer.

·    Instead of the word TOTP, Enpass now uses the terminology One-time passwords.

·    The issue with URL marked as private did not mask.

·    Some of the keyboard shortcuts were not working consistently in Enpass assistant.

·    The cloud icon didn't display on the vault list. 

Get your hands on this beta version and share your valuable feedback. If there are other improvements you'd like to see, please leave a comment below.

Cheers!

  • Like 1
Link to post
Share on other sites

Hi @Kashish,

I just updated to 6.5.0 and had to re-enable Windows Hello (maybe it got disabled due to the changes made for full-time Windows Hello support). However, it seems like it is not working as intended for me, because it says "Master password is required every time you restart Enpass". So I restarted Enpass and indeed I had to enter the master password.

Are there any additional requirements for the full time Windows Hello support? I know that it worked on my PC using the old Enpass UWP for Windows 10. There I had the full Windows Hello support because I fulfilled all the requirements, i.e. TPM 2.0 enabled, UEFI boot without CSM, SecureBoot enabled. So Enpass UWP was able to use the TPM to safely store the credentials.

Did the requirements change with Enpass 6.5.0 in comparison to the Enpass UWP regarding Windows Hello support?

Link to post
Share on other sites

I am talking about the store version, of course.

I got it working now on another computer, which is a Surface Go tablet from Microsoft. Only difference in configuration which I am aware of is that it's using a different TPM.

The Surface Go is using it's Intel fTPM (firmware/platform TPM 2.0), while my desktop computer has a discrete Infineon TPM module (also TPM 2.0, latest firmware). Both claim to fully support "Key attestation".

I remember last time I was using the old Enpass UWP version (which already had full-time Windows Hello), I was using a different discrete TPM module on the same mainboard. It was a Nuvoton TPM 2.0, which I got replaced by the Infineon because it was painfully slow in comparison. However, full-time Hello was working with the former TPM module.

Maybe, this could be something for the developers to check? Could it be that Enpass was tested against the built-in Intel/AMD platform TPMs only? For me, using a discrete TPM module was always preferable, because it survives an UEFI or Intel management engine update / reset to defaults without clearing or wiping the TPM.

If I find some time, I will also try to check a few things on my side, like e.g. swapping the different TPMs (Intel vs. Nuvoton vs. Infineon) to see if I can finally get it working again.

Edited by tox1c90
Link to post
Share on other sites

Hey,

@dan45 Enpass v6.5.0 for windows platform is still in beta phase. To join the beta program please revert us back so that we can go ahead.

@tox1c90To determine whether the device should support Full-time Windows Hello, Enpass relies on the this API provided by the Microsoft:

This is the only way to distinguish whether the security keys are generated by a legit Hardware TPM. There is little Enpass can do in this case. The API is not returning attestation info on your first PC and hence the message. UWP version also had the same logic.

Also, please check if there is any firmware update available for your TPM. Windows will mark it untrusted if a vulnerability is found for TPM and restore when updated with a fixed firmware.

Thanks.

Link to post
Share on other sites

I've tried Windows Hello with PIN, because I need a new fingerprint stick.

 

On my Laptop mit Onboard Intel TPM with fingerprint in works fine.

On my PC with seperate Asus TPM 2.0 Module (Infineon) it doesnt work, after restart I have to enter the Master-Password.

Can you tell me which TPM Modul I can buy for my motherboard, that works? Thanks

Link to post
Share on other sites
18 minutes ago, dan45 said:

On my PC with seperate Asus TPM 2.0 Module (Infineon) it doesnt work, after restart I have to enter the Master-Password.

Can you tell me which TPM Modul I can buy for my motherboard, that works? Thanks

Hi @dan45

Before thinking about changing your TPM check that the firmware is up-to-date and I would suggest also resetting it.

Microsoft's guide to resetting the TPM: https://is.gd/3bYNYy

Thread on the ROG ASUS forum: https://is.gd/2ll2kh

Link to post
Share on other sites

Hey @dan45

Thanks for getting back.

On 8/26/2020 at 6:02 PM, Garima Singh said:

To determine whether the device should support Full-time Windows Hello, Enpass relies on the this API provided by the Microsoft:

This is the only way to distinguish whether the security keys are generated by a legit Hardware TPM. There is little Enpass can do in this case. The API is not returning attestation info on your first PC and hence the message. UWP version also had the same logic.

Also, please check if there is any firmware update available for your TPM. Windows will mark it untrusted if a vulnerability is found for TPM and restore when updated with a fixed firmware.

Please go through the above quoted text and the link which is mentioned and let us know if this doesn't help. Thanks.

Link to post
Share on other sites

I wasn't able to get it to work using the Infineon TPM 2.0 module on my Asrock board, despite using the latest firmware.

Also tried clearing the TPM and setting everything up from scratch (Windows Hello, Bitlocker TPM and so on...). I also noticed that the event log throws a Certificate Error on each boot regarding the TPM attestation, saying that the public and private key are not cryptographically bound. Most likely this is also the problem that leads to the failed check which Enpass is calling.

However, I was able to fix the problem - by removing the Infineon TPM module and putting the Nuvoton TPM module back in (my board vendor Asrock is actually selling two versions of the TPM 2.0 module - one made by Infineon, the other made bei Nuvoton). This fixed both the event log errors as well as the ability of Enpass to use full-time hello.

For people thinking about how to achieve a compatible combination of Enpass, Hello and TPM, I attached a screenshot showing my TPM properties and firmware version.

Full-time Windows hello.png

Edited by tox1c90
Link to post
Share on other sites
  • 2 weeks later...

Hello, maybe it's nice to tell users that they need a TPM chip for this :P, my laptop with build in chip works correctly, on my desktop I need to buy a separate chip. But thank you so much for this update! Is there a way to not have to click on the windows hello icon but automatically use Windows Hello instead of master password? :)

Edited by Remy
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...