Jump to content
Enpass Discussion Forum

Windows Hello - no keyfile


Ivarson

Recommended Posts

When on a Windows-device with compatible TPM and the Hello-integration is turned on, it is possible to delete the Keyfile with the effect that only Windows Hello authentication will be possible.

I am positive by that finding, and believe it could be highlighted in the manual or something (couldn't find it in https://www.enpass.io/docs/manual-desktop/Enpass-Desktop.pdf, it only seem to reflect quick unlock with TPM)

The keyfile of course still has to be stored somewhere safe, but it doesn't have to reside or be visible to the target machine during everyday usage.

that's a huge security benefit if you're using Hello anyway IMHO.

Link to comment
Share on other sites

Hello @Ivarson,

On 2/23/2022 at 3:37 PM, Ivarson said:

When on a Windows-device with compatible TPM and the Hello-integration is turned on, it is possible to delete the Keyfile with the effect that only Windows Hello authentication will be possible.

Enpass uses a Keyfile to add another layer of security. It appends the characters in the keyfile to the master password and uses them together to encrypt your data. On the other hand, Windows Hello is just another method to access Enpass data. Also, I have noted your request to highlight this in the user manual. 

In addition, if you have already created a key file for your Master password, it will be my strong advice never to delete it, even if you have Windows Hello activated. The reason is

  1. In case Windows Hello does not work for some reason, you will need to enter the combination of the Master password and the Keyfile
  2. If you wish to change your master password in the future, the keyfile will be required.
  3. If you choose to remove the keyfile permanently for the next time you log in to Enpass, e.g., using the Master password or Windows Hello, it will require a Keyfile.
On 2/23/2022 at 3:37 PM, Ivarson said:

The keyfile of course still has to be stored somewhere safe, but it doesn't have to reside or be visible to the target machine during everyday usage.

 

A Keyfile is asked while login into Enpass, and it is not mandatory to store it on the target machine only. It can be kept in any location you choose, such as a Pendrive, an email, or a Cloud Account, not necessarily on the target machine.

Link to comment
Share on other sites

I understand this, what I'm saying is that you're missing a point with what Hello can achieve.

Conscider this;

I am an 'advanced' user on Windows-device.

I set whatever security i can for my Enpass, a master password with fairly high entropy and a Key-file.

I activate Windows Hello with full compatibility (TPM 2.0).

I make sure to have a second copy of the keyfile stored safely (maybe on a USB-drive locked into a safe, or whatever) as well as remembering the master password.

I make sure any local copies of the keyfile is deleted.

Now Enpass is limited to Windows Hello's framework and the 'masterpassword' is safely stored in the computers TPM and can't be extracted.

Anything above everyday operations, like changing passwords, exporting vaults would indeed require that keyfile + masterpassword.

The keyfile on the other hand would have much higher risk of being compromised, copied or stolen etc.

 

It's not a revelation, i just think people should be aware that the keyfile shouldn't be needed atrest permanently on a Windows-device as long as you have it stored safely somewhere else. This is a upside especially until you've implemented Yubikey-support (a real secure element), if that's still on the roadmap.. 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...