Jump to content
Kashish

Say Hello to "full-time Windows Hello" with Enpass Beta ver 6.5.0

Recommended Posts

Hey Enpassians!

We hope you are doing great and making the most of your time.

The latest Beta v6.5.0 for on Windows Store comes with the ever-awaited "full-time Windows Hello" support. You can enjoy continuing using Windows Hello even after the system or app restarts. Go ahead and put your bio-metrics to test with the new feature.

What's New:

·    One of the most requested features— "Full-time Windows Hello support" is here. Now you need not enter the master password after the system/app restart.

·    Added an option to delete the unnecessary fields from the saved web forms. Navigate to the 'Show Webform' on the detail page of the item.

Fixes:

·    Fixed an issue where some of OneDrive users were getting a password-mismatch error as "Password of data on OneDrive is required." Now fixed. Affected users first need to delete data from OneDrive (option to delete data is present while disconnecting the sync from the cloud).

·    Few of our users reported an error code 1208400 while syncing with OneDrive.

·    The issue where the order of the fields is getting shuffled for a custom template on syncing with other devices.

·    An issue where custom icons display as black.

·    Fixed an issue where the deleted items were visible under associated tags.

·    Squashed a bug with CSV importer.

·    Instead of the word TOTP, Enpass now uses the terminology One-time passwords.

·    The issue with URL marked as private did not mask.

·    Some of the keyboard shortcuts were not working consistently in Enpass assistant.

·    The cloud icon didn't display on the vault list. 

Get your hands on this beta version and share your valuable feedback. If there are other improvements you'd like to see, please leave a comment below.

Cheers!

  • Like 1

Share this post


Link to post
Share on other sites

Hi @Kashish,

I just updated to 6.5.0 and had to re-enable Windows Hello (maybe it got disabled due to the changes made for full-time Windows Hello support). However, it seems like it is not working as intended for me, because it says "Master password is required every time you restart Enpass". So I restarted Enpass and indeed I had to enter the master password.

Are there any additional requirements for the full time Windows Hello support? I know that it worked on my PC using the old Enpass UWP for Windows 10. There I had the full Windows Hello support because I fulfilled all the requirements, i.e. TPM 2.0 enabled, UEFI boot without CSM, SecureBoot enabled. So Enpass UWP was able to use the TPM to safely store the credentials.

Did the requirements change with Enpass 6.5.0 in comparison to the Enpass UWP regarding Windows Hello support?

Share this post


Link to post
Share on other sites

I am talking about the store version, of course.

I got it working now on another computer, which is a Surface Go tablet from Microsoft. Only difference in configuration which I am aware of is that it's using a different TPM.

The Surface Go is using it's Intel fTPM (firmware/platform TPM 2.0), while my desktop computer has a discrete Infineon TPM module (also TPM 2.0, latest firmware). Both claim to fully support "Key attestation".

I remember last time I was using the old Enpass UWP version (which already had full-time Windows Hello), I was using a different discrete TPM module on the same mainboard. It was a Nuvoton TPM 2.0, which I got replaced by the Infineon because it was painfully slow in comparison. However, full-time Hello was working with the former TPM module.

Maybe, this could be something for the developers to check? Could it be that Enpass was tested against the built-in Intel/AMD platform TPMs only? For me, using a discrete TPM module was always preferable, because it survives an UEFI or Intel management engine update / reset to defaults without clearing or wiping the TPM.

If I find some time, I will also try to check a few things on my side, like e.g. swapping the different TPMs (Intel vs. Nuvoton vs. Infineon) to see if I can finally get it working again.

Edited by tox1c90

Share this post


Link to post
Share on other sites

Hey,

@dan45 Enpass v6.5.0 for windows platform is still in beta phase. To join the beta program please revert us back so that we can go ahead.

@tox1c90To determine whether the device should support Full-time Windows Hello, Enpass relies on the this API provided by the Microsoft:

This is the only way to distinguish whether the security keys are generated by a legit Hardware TPM. There is little Enpass can do in this case. The API is not returning attestation info on your first PC and hence the message. UWP version also had the same logic.

Also, please check if there is any firmware update available for your TPM. Windows will mark it untrusted if a vulnerability is found for TPM and restore when updated with a fixed firmware.

Thanks.

Share this post


Link to post
Share on other sites

I've tried Windows Hello with PIN, because I need a new fingerprint stick.

 

On my Laptop mit Onboard Intel TPM with fingerprint in works fine.

On my PC with seperate Asus TPM 2.0 Module (Infineon) it doesnt work, after restart I have to enter the Master-Password.

Can you tell me which TPM Modul I can buy for my motherboard, that works? Thanks

Share this post


Link to post
Share on other sites
18 minutes ago, dan45 said:

On my PC with seperate Asus TPM 2.0 Module (Infineon) it doesnt work, after restart I have to enter the Master-Password.

Can you tell me which TPM Modul I can buy for my motherboard, that works? Thanks

Hi @dan45

Before thinking about changing your TPM check that the firmware is up-to-date and I would suggest also resetting it.

Microsoft's guide to resetting the TPM: https://is.gd/3bYNYy

Thread on the ROG ASUS forum: https://is.gd/2ll2kh

Share this post


Link to post
Share on other sites

Hey @dan45

Thanks for getting back.

On 8/26/2020 at 6:02 PM, Garima Singh said:

To determine whether the device should support Full-time Windows Hello, Enpass relies on the this API provided by the Microsoft:

This is the only way to distinguish whether the security keys are generated by a legit Hardware TPM. There is little Enpass can do in this case. The API is not returning attestation info on your first PC and hence the message. UWP version also had the same logic.

Also, please check if there is any firmware update available for your TPM. Windows will mark it untrusted if a vulnerability is found for TPM and restore when updated with a fixed firmware.

Please go through the above quoted text and the link which is mentioned and let us know if this doesn't help. Thanks.

Share this post


Link to post
Share on other sites

so now i cleared the module over bios, after that I disabled Windows Hello in Windows and reactived it. Then I enabled Windows Hello in Enpass and now it works. Great work thank you :)

  • Like 1

Share this post


Link to post
Share on other sites

I wasn't able to get it to work using the Infineon TPM 2.0 module on my Asrock board, despite using the latest firmware.

Also tried clearing the TPM and setting everything up from scratch (Windows Hello, Bitlocker TPM and so on...). I also noticed that the event log throws a Certificate Error on each boot regarding the TPM attestation, saying that the public and private key are not cryptographically bound. Most likely this is also the problem that leads to the failed check which Enpass is calling.

However, I was able to fix the problem - by removing the Infineon TPM module and putting the Nuvoton TPM module back in (my board vendor Asrock is actually selling two versions of the TPM 2.0 module - one made by Infineon, the other made bei Nuvoton). This fixed both the event log errors as well as the ability of Enpass to use full-time hello.

For people thinking about how to achieve a compatible combination of Enpass, Hello and TPM, I attached a screenshot showing my TPM properties and firmware version.

Full-time Windows hello.png

Edited by tox1c90
  • Like 1

Share this post


Link to post
Share on other sites

Hello, maybe it's nice to tell users that they need a TPM chip for this :P, my laptop with build in chip works correctly, on my desktop I need to buy a separate chip. But thank you so much for this update! Is there a way to not have to click on the windows hello icon but automatically use Windows Hello instead of master password? :)

Edited by Remy

Share this post


Link to post
Share on other sites

Hi @Remy,

Currently, there is no way to use Windows Hello without clicking on the icon at the first launch. However, we do have plans to improve the functionality, and update with the fixes will be available with the subsequent update.

 

 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...