security Please add 2FA to enpass vaults

[Fadi]

As i have been using enpass for past several months i even got to know about enpass key file to enhance vault security but there are still few concerns which i am about to share.

1: for security new users do not know about enpass key and once a new user have created primary vault then it is almost not possible for them to move to another vault and keep primary vault without enpass key. There is no option to set or change default primary vault if i want to.

2: Even if you have created primary vault with enpass key it can be hacked very easily. Enpass Database + keyfile is located on same system once a hacker got into your pc using RAT which is very common scenario they can access your all files in drive and using key logger they can capture your password for enpass. So when a hacker have access to a pc having enpass keyfile does not make it secure. I am a security researcher and i know what i am talking about. Now a days malware have became so intelligent they can be asked to find specific file on that computer or even on that network and once they find name of extension matching file it can be uploaded to hacker's server. having 2FA on Authy or Google Authenticator or which ever you use is much more reliable way to add an extra layer of security to your enpass vault.

 

Why don't we put a 2FA by default for primary vault? Even if it is protected by key file on new device vault must ask for 2FA code? It can be implemented and user gets to choose if they want keyfile and 2FA both activated or only key file or only 2FA.

 

I have tested the scenario (2) explained above using my personal computers and i was able to access it very easily. It is my humble request to add this 2FA including keyfile to make enpass more secure and a single keyfile and a password is not enough to secure it. even if we keep keyfile on a USB drive our vault needs it and when we will connect our USB to that pc for vault unlocking it can be accessed by hackers like all other normal drives.

Also please add feature to change primary vault if someone creates a new vault with keyfile or how ever there must be an option to change primary vault. I hope i am not missing anything and was able to explain it clearly but if i am missing something please do let me know.

Edited May 26, 2022 by Fadi

[Abhishek Dewan]

Hi @Fadi

I certainly understand your point and would like to share that the Keyfile that Enpass generates contains a secret key that gets appended to the master password, and the combination of the two is used to encrypt the Enpass data. It is, of course, very important that you never lose the Keyfile and save it in a secure location. 

Security researchers advise that the Keyfile with a good amount of entropy ensures higher security to your data. Password entropy predicts how difficult it is to crack a given password through guessing or brute force cracking. Enpass generates high entropy random data for Keyfile using Cryptographically Secure Random Number Generator which make every brute-force attack infeasible.

Moreover, I have also duly noted your comments and have shared it with the dedicated development team so they may check the feasibility of your request and implement it for future Enpass versions. Thanks for your patience in the meantime.

#SI-2713

[Fadi]

@Abhishek DewanThank you for your concern but once a system is hacked and hacker got all files of enpass and he keylog that system there is no point in bruteforcing as he already have password and can unlock vault. Adding 2FA to secure it more will be a better way even if a hacker got keyfile, vault and password he still must need 2FA code to access that vault.

[stefman]

Hello @Abhishek Dewan,

exactly this feature for the same reasons as @Fadi I would also like to see in Enpass. It's no secret that a password is no longer considered secure these days. Also, the option of a key file is better than just a password, but as @Fadi notes, this is of no use if you have caught an encryption Trojan that encrypts all drives (including connected USB sticks). Therefore, a 2FA for Enpass itself would be a much better option. I would be very happy if this option can be implemented in a timely manner.

[Abhishek Dewan]

Hi @stefman

I can certainly understand the usefulness of the requested feature. I have shared your comments as feedback with the dedicated development team so they may consider this for future Enpass versions.

[Fadi]

Thank you @stefman and @Abhishek Dewan i hope this will be implemented very soon.

[Fadi]

Any updates about this?

[Abhishek Dewan]

Hi @Fadi

Our dedicated team is still looking into the feasibility of this feature. While I do understand the importance of the requested feature, I'm afraid I will not be able to share any ETA for the same.

[lukec]

Hi,

I agree, with this post entirely. I think 2FA should be implemented as soon as possible as it is the biggest security issue with Enpass and the only reason why I haven't fully converted to Enpass from my current provider.

I find it a bit strange that a vault of the most important information we own (passwords) wouldn't offer this as standard and that Enpass can offer one-time passcodes for lots of sites but this can't be in it's own app?

Even for now if you could implement 2FA via a phone text until a real authenticator such as Authy or similar can be used in the future.

 

 

[Abhishek Dewan]

Hi @Luke

Thank you for your valuable feedback.

Our dedicated team has already been notified regarding this feature request so they may implement it for the future Enpass versions. We appreciate your patience in the meantime.

[Fadi]

Well since past 2 years i have been using enpass and it worked as expected but some how it was lack in security of data as i described it few months ago in this thread below

I have been waiting for Enpass team to get it done but it seems there is no chance of getting 2FA any sooner and i have ended up deciding to stop using enpass until it gets this feature as there is no point is using something what it is supposed to do at it's best but this issue regarding stealing data and password from enpass using malware is scaring me. Thank you enpass team for listening to my requests. Even though I am a lifetime subscriber I am going to stop using it. Sad to leave enpass and moving to other much secure option as i am a security freak and my 20 years of online experience dosn't allow me to use something unsecure as enpass. Have a great future and will see if enpass gets much more secure than maybe some day i will move back to it but until than BYE BYE

[Abhishek Dewan]

Hi @Fadi

Enpass team apologizes for this issue. We always strive to improve our app, based on regular customer feedback, so that it meets every user's needs. 

 

As mentioned previously, Enpass' data is fully encrypted by 256-bit AES encryption with 100,000 rounds of PBKDF2-HMAC-SHA512 using the peer-reviewed and open-source encryption engine SQLCipher, an open-source, peer-reviewed encryption engine. Additionally, we offer our users the option of adding a Keyfile as an additional layer of security.

 

In response to your feedback, I've already informed Enpass' development team about adding Multi-Factor Authentication to Enpass Vaults, Unfortunately, I'm not yet able to provide a specific timeframe for this particular feature request since a variety of factors influence the removal, implementation, or improvement of an app feature (feasibility, demand, or other factors).

 

Your patience and loyalty in being with us are always appreciated. For more information, please do reply to us at support@enpass.io, we are just an email away!

[lukec]

Well, that's a shame. I think the fact that this thread is two years old and still not implemented is a pretty obvious sign that Enpass isn't prioritizing this and the reason I've stopped using it.

I understand that things like this take time, but two years for 2FA on a password manager (the one thing you want to be secure) is far too long. Nearly all of your competitors offer this as standard. This is too long, in my opinion. 

[stefman]

Hi @Abhishek Dewan,

I can understand @Fadi and also understand the decision. I must also honestly say that because of this missing feature, I can no longer guarantee to stay with Enpass forever. You know that a password (what you know) alone is no longer considered secure nowadays. Yes, Enpass uses the key file as a second factor (which it must have) but that is honestly too easy to compromise. If you follow your update cycle, version 6.9.0 should be coming soon and version 7.0.0 sometime in May / June 2023. Maybe your developers will manage to implement 2FA for Enpass themselves by then. That would be a great feature for version 7.0.0, right?

[Fadi]

@stefmanWell it sounds like no buddy cares about security. Even after what happened to LastPass Enpass must consider adding security layers for data stored in enpass but no support for hardware keys no support for 2FA. No major new features released since last year, and we do not even know where the roadmap is located, so we can see when it will be implemented and i have no longer any hope for this in near future.

[Steve Hansen]

I'm sorry @Fadi but how can 2FA protect a local encrypted file? It's just a fixed key that is used to generate a unique 6-digit number each 30 seconds, there is nothing with 2FA that could possible add any protection to locally encrypted files.

[Thoughts?]

As mentioned by Steve Hansen, it's technically not possible to use 2FA (as in TOTP authentication), to secure an encrypted vault, physically stored on your computer. 

However, if you are concerned about your computer, Enpass vault and master password, falling into the wrong hands, it's possible to add another layer of security, a second factor if you will, to your vault.

Add Enpass's key file to your vault, as normal, then use an encryption tool, to encrypt the key file. If Enpass can't find/read the key file, the vault won't open even with the master password. 

Encryption could be as basic as a password-protected zip, but a more robust set up is via Cryptomator. Create a Cryptomator vault (folder) on your computer, choose an appropriate password, unlock the Cryptomator vault and place your Enpass key file inside the revealed folder. Open Enpass and point it to the new key file location. 

Cryptomator can be set to a timeout (locking all vaults), or remain open until the computer is shut down. Simply turning your computer off would lock the Cryptomator vault and re-encrypt the key file. On starting the computer, you and or a potential thief, would need, your Enpass master password, and your Cryptomator password, for that vault, to open/decrypt your Enpass vault. Removing the hard drive from your computer wouldn't change anything, it would actually better hide the key file, as it can only be revealed through the Cryptomator app!

I've not tested this approach on a mobile phone, but Cryptomator do also have a mobile version of their software. Cryptomator's desktop software is free and open source.

In a perfect world, the Enpass desktop software and mobile app would themselves provide the means of encrypting/securing the key file, but the approach I've suggested could be used as of today.

 

[Fadi]

@Steve Hansen @Thoughts? Well there is another option also which can be implemented which is using hardware security key like yubikey or you can save that 2FA code in encrypted enpass database. This will add security layer because that 6 digit code is not generated on computer instead it will be generated on mobile device. Until we do not enter 2FA or plugin hardware key it will not be unlocked like key file. But keeping key file on same pc even in encrypted cryptomator drive won't work because in the end you have to unlock cryptomator to access key file. But otp gets generated on mobile phone or using yubikey is much more safer way to implement encryption instead of using key file. I am amazed to hear that it cannot be implemented or even will not protect encrypted files if that is the case than why bitwarden has it? If you are not using cloud version and using self hosted version like enpass it still has those security implementations to secure the vault and database. If 2FA or FiDO2 do nothing to secure anything then i think all those giants are dumb who are moving to those options doesn't matter if it is online or offline.

Thank you Thoughts? But the approach you have mentioned i have already implemented. The problem is once your cryptomator vault is unlocked it can be access remotely and without unlocking vault no one will be able to access their enpass database and in real world case scenario if your system is hacked by a RAT then cryptomator vault/drive can also be accessed remotely.

So in short 2FA or FIDO can be implemented. There is not even a single possible reason or explanation which justifies that it cannot be implemented or implementation of these will not secure your database.

[Steve Hansen]

hey @Fadi it's just not technically possible to protect a local file like that, you can only use a secure long master password for symmetric encryption, where a local keyfile can be used for extra entropy.

Totp/fido/email magic links/... are all features that can only be used when protecting an external service.

For your information, directly from the Bitwarden documentation: https://bitwarden.com/help/external-db/ if you self host it, you are just connecting to a Microsoft MSSQL database, so with the sa password you'll also have access to all your credentials (encrypted but just the same as having an enpass database). SQL server has features like TDE to encrypt data at rest, but they will also only protect the file outside the system, because if the SQL server didn't have the key to unlock it, some DBA would have to enter a password every time the database instance was restarted. And SQL server's Always Encrypted just moves the key outside the database instance, to the application layer, which will also need to know the key that is used.

FIDO U2F can not be used for symmetric encryption: https://security.stackexchange.com/a/105808/71765 which also makes sense, otherwise your whole database would be lost when it works like that, and they always recommend having a spare key, because they don't actually encrypt the data just provide a secure attestation certificate.

Edited January 19, 2023 by Steve Hansen

[Steve Hansen]

@Fadi the guys at KeePassXC (similar situation), can hopefully explain it better than me, found 2 relevant parts in their FAQ:

https://keepassxc.org/docs/#faq-yubikey-howto (so you can use a yubikey to add some extra protection, but you'll have to backup that key in secure location, and bricking your key will result in a lost database, from a UX point I wouldn't enable it like this, you could have multiple keys with the same secret https://keepassxc.org/docs/#faq-yubikey-multiple-yubikeys so that would be something I could do, but you'll still need keep a backup of that key)

https://keepassxc.org/docs/#faq-yubikey-why-hmac-sha1 this also confirms my "protecting an external service"

[Thoughts?]

@fadi Just furthering Steve Hansen's comment on Bitwarden. 2FA within Bitwarden, protects purely logging into your online account and database. If you also use Bitwarden's desktop software, the vault file, physically on your computer, is not and cannot be protected via 2FA (TOTP). Only using Bitwarden completely online,  (no desktop software or local file), does 2FA, add a layer of protection, to your vault.

[Fadi]

@Thoughts? So in short 2FA or FIDO2 cannot be implemented with enpass and once your system got hacked and hacker keylogged you and downloaded your database and enpass key file there is nothing you can do to protect yourself? Bitwarden is way better than loosing my all passwords just because enpass is not able to implement 2FA which i am not sure why is not possible to implement even with yubikey. Because no matter where you secure your key file even in cryptomator enpass requires access to that file and once the cryptomator vault is unlocked you can access all files using any RAT. So how come enpass calls it self secure when you have to have access to key file or master password which can be keylogged or even key file can be stolen? Just because enpass is encrypting database is not enough. What enpass is doing to secure that database once key file and database and master password gets stolen?

[Thoughts?]

Hello Fadi - 2FA as in TOTP (authenticator app Authy, Aegis etc.) cannot physically be used to add another protective layer to 'any' offline vault file, physically on your computer. Bitwarden is identical in this regard. If someone stole your computer, and you had Bitwarden desktop installed, providing the computer was kept offline, and the thief knew your e-mail and master password, they could open your Bitwarden vault, even if you had set up 2FA on your account. 

As mentioned in an earlier comment, encrypting the key file on your computer is a way to add another protective layer. In this situation, the thief would need 5 things. 1 - To know your Enpass e-mail, 2 - master password, 3 - the key file location, 4 - to know that the key file was encrypted and 5 - to know the password used to encrypt the key file. Online or offline, without all that information, the Enpass vault would not open, even if they knew your e-mail and master password. 

Another alternative is to store your key file on a USB stick. Without the USB, the key file would be inaccessible, making it impossible to open the vault, even with the correct e-mail and master password.   

2FA as in TOTP (authenticator app) protects online access to files and information, it's not designed to protect physical files, when offline. 

Stored in your personal cloud, Dropbox, OneDrive etc. your Enpass vault(s) are protected by 2FA, when enabled in your cloud account. It is purely the offline element of Enpass, that a 2FA authenticator app can't protect. For that to change, Enpass would need to be an online password manager. Which comes with a mixture of advantages, and disadvantages. The key disadvantage being, without access to the internet, or if the company's servers are down, an online-only password manager blocks you from accessing your own passwords.

I completely understand your thoughts and concerns, but in order to protect offline physical files, the approach itself needs also to be offline. Encrypting the key file or storing it externally are two such methods, and there are likely others. 

Whether Enpass might consider a hybrid online approach I don't know, but for myself what I value most about Enpass is having complete control of where my vault(s) are stored, enabling 2FA, in each cloud storage location, having a secure, memorable master password and vitally being able to access critical information regardless whether I'm online or offline or whether Enpass' servers might be down.

With every password storage set up, regardless the method, it is ultimately the responsibility of the end user to protect that information. Enpass is built as an offline password manager and why it differs from others. If that approach isn't practical for you, then possibly a different online password manager might be more suitable. 

Edited February 1, 2023 by Thoughts?

[hacked_user]

@Fadi Just wanted to point out the scenario you described here recently happened to me and at a great cost. Granted my master password wasn't as strong as it could've been but a hacker got remote access to my desktop PC and downloaded my Enpass master vault and then brute forced their way in. This gave them access to my cryptocurrency accounts. There are a lot things I could've and should've done differently but if there were a way to stop a hacker from importing a stolen vault (email 2FA?) it would've saved me ~$250K. I think I understand the solution @Thoughts? proposed but that would require decrypting the vault every time you want to access/update it on each device which isn't really convenient/feasible. Needless to say this isn't a concern for me any longer since I've lost everything but I will be keeping on eye on this thread for any possible future solutions out of interest.

[Fadi]

Well due to this lack of security feature I have started using Bitwarden which seems to be much more secure. @hacked_user I am just in love with enpass, but I cannot risk it for a few accounts including my bank and everything else I have moved those logins to Bitwarden which requires more security. I just hope they will come up with a solution since security key needs to be accessed by enpass to unlock it even if you use cryptomator or any other tool to encrypt it when you want to load it in enpass you have to unlock that encryption for enpass to load that file which also allow remote access to access that mounted drive. So having a security key file is not a reliable solution in my opinion. FIDO2 can be implemented since it is even an offline password manager but still it goes to enpass server or to App Store on Mac and Windows to check and receive updates, so it is not 100% offline. I think if they want to implement this it can be done. I understand @Thoughts? explanation but there are encryption tools who are using Yubikey (Example: HiCrypt.com, Veracrypt.fr) I am not a programmer or don't know much in depth stuff all I need is a much more secure way to encrypt my enpass data with 2FA or security key. I own almost every company: Trezor, Ledger, Yubikey 5, Nitro key 3, Token2, Solo key, Onlykey. I know it is a bit complicated and time-taking process to implement something like this, but this is something which needs serious attention and solution. I saw other people also requesting this from past few years but still it is not developed. I just hope they will get it done some day.