Jump to content
Enpass Discussion Forum

Support for U2F


diego.narducci88
 Share

Recommended Posts

  • 4 weeks later...

It would be great if one could login to enpass using a FIDO U2F security key (or another other U2F dongle, e.g. the yubikey).
Would that allow us to get rid of the last passwort to remember (the master passwort to enpass)??
That would be replaced by a USB device (or even a biometric scanner that supports U2F :-)).

Link to comment
Share on other sites

If you have a yubikey you can programme it to write a static password. I would combine it with short password so that you would enter something yourself and then let the yubikey write the rest.

Link to comment
Share on other sites

Hi all,

Enpass is an offline password manager and doesn’t keep any of your information or Enpass data on any cloud/server. Two factor authentication is used in online services where the requested data is transmitted after validating the user through a second factor (generally an OTP on phone or email) and works as an extra protection, which is not at all required in case of offline services as your data is with you only.

Lets consider for a moment, any how Enpass implements TOTP support (again, its a consideration), but how that OTP will be verified through server as we don’t have any information. Being offline is not a limitation of Enpass but gives you a peace of mind that your data is with you only. Also Enpass is an encryption software which recognizes your Master Password as the only key to get your data. So just think for a moment, if any one knows your master password why will he go into hassle of OTP stuff as he just need your database from device and open it using your compromised master password.

 

  • Thanks 1
Link to comment
Share on other sites

Would be cool if the database file itself could only be opened with the Master Key AND some sort of 2nd authentication. But that isn't how 2FA works right? ^^ Would mean that the data would have to be double encrypted...one time with the 2FA and the other with the Master Key and you would need both to get to your data.

Link to comment
Share on other sites

Using a yubikey with a static password is a great idea... thanks @morten_bendtsen (I did not know that this is possible).
It is exactly what I wanted to do (although I just found out that this won't work on an iPad... so I'm stuck here somehow :-))


As far as I know there is a "proof-of-concept" with sqlcipher and mfa (https://github.com/sqlcipher/sqlcipher-mfa), so maybe that's something to consider (that's what you talked about @Stahlreck, right??) :-)

@Anshu kumar:
I do not get your point... why should U2F be only limited to online services??
In fact extending the master password with a second factor would make things more secure, wouldn't it??

Link to comment
Share on other sites

Thanks all for your inputs on this matter. Here I would like to point out how Enpass differs from an online service.

In online services, user has to prove his authenticity to service provider (other party) to access the resources. An online services typically authenticate based on username/password and additionally second factor like TOTP etc. Once, you are successfully authenticated, it will send the required data to you or perform any other operations on your behalf. 

While in case of Enpass there is no one controlling your data at other end. You are the sole owner of your data as it is on your local disk. So, your data is always with you without even a single factor. However, it is always encrypted with your master password. So, Enpass is just a tool to decrypt that data for you if you provide correct master password.

 

But it doesn't mean that we don't want to take our chances with Yubikey. You guys are right saying that we can add Yubikey support by splitting master password in two parts (user provided + static from Yubikey) and definitely the approach will work. However, Yubikey is not compatible with all mobile devices. We have to wait until Yubikey supports all major mobile platforms before promising anything to you. Also, we have limited resources here and at the moment, we are very busy with other important features like attachment support. 

@Niko_K the link you sent is experimental code and offers security and have limitations as above solution. 

Thanks again for all your inputs guys.

Link to comment
Share on other sites

20 hours ago, Vinod Kumar said:

You guys are right saying that we can add Yubikey support by splitting master password in two parts (user provided + static from Yubikey) and definitely the approach will work. However, Yubikey is not compatible with all mobile devices. We have to wait until Yubikey supports all major mobile platforms before promising anything to you. Also, we have limited resources here and at the moment, we are very busy with other important features like attachment support.

You (Enpass) don't really need to do anything on the desktop side, since it should be pretty easy for a user to config this himself. Also without me being able to test this, there might also be a way to make this work on mobile platforms with the current version of Enpass, as long as you have a NFC enabled Yubikey (The case linked to is with LastPass but you might be able to copy it?). See here: http://forum.yubico.com/viewtopic.php?f=26&t=938 and here: http://forum.yubico.com/viewtopic.php?f=26&t=1422

Quote

"Then download the Personalization Tool from Yubico. In the Personalization tool, select the "Tools" option from the menu at the top.

In the Tools menu, select the NDEF Programming Option.

In the NDEF Programming option page, select Configuration Slot 1. Set the NDEF Type to "URI (http://..)", then in the NDEF payload field, type: "https://lastpass.com/mobile/?otp="

Press the Program button to write the NDEF2 string to your YubiKey NEO.

Now you can use the YubiKey NEO when logging in via the LastPass Android app, or used as a normal YubiKey on your desktop."

Just found this app also:

https://play.google.com/store/apps/details?id=com.yubico.yubiclip&hl=en

Edited by Guest
Added a third link
Link to comment
Share on other sites

@Vinod Kumar:
Yes... the code is experimental (that's why I talked about "proof-of-concept"), but it also shows that something like U2F makes sense for offline applicatiions, doesn't it?

@morten_bendtsen:
NFC in a yubikey is a great feature for mobile devices, but do you known about support for iOS (and maybe windows phone)?
Isn't this something that works with android only?

 

However, I will try to grab some yubikeys and do some testing with them (for logging into the OS for example :-))

Link to comment
Share on other sites

  • 4 weeks later...
On 7/9/2016 at 0:07 PM, Niko_K said:

NFC in a yubikey is a great feature for mobile devices, but do you known about support for iOS (and maybe windows phone)?
Isn't this something that works with android only?

@Niko_K

Sorry for the late reply, but there seem to be some possibilities, but it doesn't seem that elegant: 

https://www.yubico.com/start/ipad/

https://www.yubico.com/faq/yubikey-ios-device-ipad-iphone/

Link to comment
Share on other sites

As a LastPass user who is giving Enpass a trial I'd like to add my name to the list of people who'd find 2FA via Yubikey helpful. Without consideration for online vs local, isn't a general principle of security that it's best to authenticate via something you know (password) plus something you have (Yubikey)? In LastPass I don't trust any of my devices, so always require the Yubikey and the password to unlock (in reality I think their implementation on Android with Yubikey is almost useless as your logged in state even survives reboots and system cache clearing). I do keep paper unlock codes in a safe deposit box just in case the 2 registered Yubikeys stops working. The advantage of this setup is that it allows me to keep a relatively simple password (49 bits of entropy) with the added protection of the Yubikey. 

Given that Apple isn't giving access to NFC for alternatives to ApplePay or any other application, I wouldn't hold my breath waiting for them to get on board NFC based 2FA before considering it for other platforms. Didn't AuthenTec drop out of FIDO as soon as it was purchased by Apple?

Link to comment
Share on other sites

@morten_bendtsen: Apple iOS devices are only supported up to iPad2. Everything more recent (iPad3+, iPad mini...) will not work with the linked possibilities (due to some change it the apple firmware I guess).

In general I am not so sure anymore that the solution has to be U2F and that the password has to be replaced by it. A better approach seems to be adding a yubikey to the password...
However, Yubikeys allow to login into Windows using HMAC-SHA1, so maybe this is the way to go when adding some security using yubikeys as a second factor.

Link to comment
Share on other sites

  • 1 month later...

to anyone who hasnt considered this: when the ressource is already accessible (on your harddrive) there is NOTHING which 2FA with a variable (OTP, U2F) would add.

the sole reason is because the data is already there. you cant encrypt with a variable.

@Niko_K the Yubi for windows with the HMAC sha1 also does nothing to encrypt data it just just to prove that you have the key. but the problem is that when someone can access the data on your harddrive already then your nice yubikey wont help you.

The ONLY possible second factor that can really be taken into consideration are smartcards, HSMs and similar which would do the decryption of the DB by themselves.

but a signature/Hash based second factor (u2f, OTP and so on) is pretty much useless for offline stuff since the data is already there.

when you have for example your lastpass account with 2FA it's simple why it works.

since lastpass is a mostly online-only service lastpass can use the second factor to control the data flow to you means if your second factor doesnt match, LP wont hand you over the database. but since a second factor is made in a way that the thing you enter cannot be used to restore a shared secret or whatever it is not possible to encrypt it.

 

there is only ONE possible scenario for one time passowrds but it is 1) a horrible misuse of the concept and 2) if you get out of sync by even 1 try, you can say goodbye without having to try all the OTPs.

that scenario would be as the following:

  • when the user sets OTP for the database forst you get your HOTP (counter based) OTP to the phone and of course verify it to the DB
  • when the DB gets closed it gets encrypted by the password and the HOTP for (current counter+1)
  • when the user opens the db he enters both the password and the otp for the next counter
  • rinse and repeat.

the only problem is as I said if you dont keep track of your counter and it gets out of sync (e.g. someone accidentially or maliciously pushing the button) you can say good bye especially if you for example have a hardware token with a non-resettable counter.

while online services know the shared secret (the OTP seed) they can adjust for desyncs in a certain range because they can just generate OTPs for validation as needed, but for encryption this wont work. so the scenario above is horribly vulnerable for essentially killing your db and is NOT recommended.

Link to comment
Share on other sites

  • 5 months later...

I agree with Diego -

In terms of usability, I've really enjoyed getting familiar with the product. However, adding the secondary level of authentication with a key file /2FA /Yubikey would push this ahead of the competition (Dashlane/Keepass come to mind) in terms of security. If there was a strong chance of being hacked while traveling, I would recommend a password manager with key file capability.

Cheers,

JC

Link to comment
Share on other sites

  • 4 weeks later...
On 7/8/2016 at 2:50 PM, Vinod Kumar said:

[ cut ]

But it doesn't mean that we don't want to take our chances with Yubikey. You guys are right saying that we can add Yubikey support by splitting master password in two parts (user provided + static from Yubikey) and definitely the approach will work. However, Yubikey is not compatible with all mobile devices. We have to wait until Yubikey supports all major mobile platforms before promising anything to you. Also, we have limited resources here and at the moment, we are very busy with other important features like attachment support. 

@Niko_K the link you sent is experimental code and offers security and have limitations as above solution. 

@Vinod Kumar IMO it should be "user provided" or "static from Yubikey" (and not the combination of both).

  • first reason, is that the "user provided" password is a backdoor, if the yubikey is lost or broken.
  • Secondly, we are a bit tired of typing ^_^ 
  • 3rd, it's a super-long password which cannot be broken/guessed in any way, and the few characters that you'll add won't add any security (yes, if somebody steals the key, can use it to login, but they need to steal the laptop together with they key.... let's go back to real life scenarios -_- )

There is a fork of KeepassX for Linux which supports Yubikey static password.... unfortunately they are not providing a backdoor password, and it's a bit scary to use it. There is experimental code: you need to query the yubikey (with proper api, libraries, tools, whatever, ) to grab the static password. 

Link to comment
Share on other sites

On 30.3.2017 at 7:26 PM, maxdamo said:
  • 3rd, it's a super-long password which cannot be broken/guessed in any way, and the few characters that you'll add won't add any security (yes, if somebody steals the key, can use it to login, but they need to steal the laptop together with they key.... let's go back to real life scenarios -_- )

it can be quite a real life scenario, especially with the nano-sized yubikeys.

also instead of making 2 different passwords and accept both, you could just set whatever you want as the static pass for the yubi and use that as decryption

Link to comment
Share on other sites

I'm looking to defect from Lastpass but I need Yubikey or some other hardware two factor authentication. Smartphone or SMS for 2 factor is not an option for me. I need to drop Lastpass because the lastpass.com domain is blocked in my corporate network.

It looks like there are enough requests to justify this feature. 2 factor auth would put enpass in the big leagues!

Thanks.

  • Like 1
Link to comment
Share on other sites

@My1 - if a real 2FA (and I would always prefer Google Authenticator's service therefore) a second factor would still be an excellent idea! 

I think that most Enpass databases are somewhere in the cloud so it'll me more than sensefull to add 2FA. If necessary a kind of keyfile (as Keepass offers) would still be better than nothing...

Just my 2 cent.

 

Link to comment
Share on other sites

well 2FA would work if the key file is ONLY in the cloud, as soon as someone got your keyfile through one way or another, the second factor wont matter anymore.

 meaning you would have to delete it after each sync.

but yeah a key file is one approach but essentially just another tyype of super long password, essentually.

if anything a smartcard would be the only option if that's even somehow possible to do

Edited by My1
Link to comment
Share on other sites

I messed up a bit, sorry, just woke up.

I mean that as soon as someone has you password database most common 2FA isnt going to stop anyone.

a keyfile in contrast only adds a superlong password and a dedicated keyfile, with randomized contents is something that for example a virus or stuff could easily snoop up. in combination with the fact that enpass would be installed a virus could snatch the key file and pw database and get out, and the password could be then bruteforced.

other than a real second factor, the key file can be copied a thousand times over and no one would notice.

  • Like 1
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

×
×
  • Create New...