security Please add 2FA to enpass vaults

[Fadi]

As i have been using enpass for past several months i even got to know about enpass key file to enhance vault security but there are still few concerns which i am about to share.

1: for security new users do not know about enpass key and once a new user have created primary vault then it is almost not possible for them to move to another vault and keep primary vault without enpass key. There is no option to set or change default primary vault if i want to.

2: Even if you have created primary vault with enpass key it can be hacked very easily. Enpass Database + keyfile is located on same system once a hacker got into your pc using RAT which is very common scenario they can access your all files in drive and using key logger they can capture your password for enpass. So when a hacker have access to a pc having enpass keyfile does not make it secure. I am a security researcher and i know what i am talking about. Now a days malware have became so intelligent they can be asked to find specific file on that computer or even on that network and once they find name of extension matching file it can be uploaded to hacker's server. having 2FA on Authy or Google Authenticator or which ever you use is much more reliable way to add an extra layer of security to your enpass vault.

 

Why don't we put a 2FA by default for primary vault? Even if it is protected by key file on new device vault must ask for 2FA code? It can be implemented and user gets to choose if they want keyfile and 2FA both activated or only key file or only 2FA.

 

I have tested the scenario (2) explained above using my personal computers and i was able to access it very easily. It is my humble request to add this 2FA including keyfile to make enpass more secure and a single keyfile and a password is not enough to secure it. even if we keep keyfile on a USB drive our vault needs it and when we will connect our USB to that pc for vault unlocking it can be accessed by hackers like all other normal drives.

Also please add feature to change primary vault if someone creates a new vault with keyfile or how ever there must be an option to change primary vault. I hope i am not missing anything and was able to explain it clearly but if i am missing something please do let me know.

Edited May 26 by Fadi

[Abhishek Dewan]

Hi @Fadi

I certainly understand your point and would like to share that the Keyfile that Enpass generates contains a secret key that gets appended to the master password, and the combination of the two is used to encrypt the Enpass data. It is, of course, very important that you never lose the Keyfile and save it in a secure location. 

Security researchers advise that the Keyfile with a good amount of entropy ensures higher security to your data. Password entropy predicts how difficult it is to crack a given password through guessing or brute force cracking. Enpass generates high entropy random data for Keyfile using Cryptographically Secure Random Number Generator which make every brute-force attack infeasible.

Moreover, I have also duly noted your comments and have shared it with the dedicated development team so they may check the feasibility of your request and implement it for future Enpass versions. Thanks for your patience in the meantime.

#SI-2713

[Fadi]

@Abhishek DewanThank you for your concern but once a system is hacked and hacker got all files of enpass and he keylog that system there is no point in bruteforcing as he already have password and can unlock vault. Adding 2FA to secure it more will be a better way even if a hacker got keyfile, vault and password he still must need 2FA code to access that vault.

[stefman]

Hello @Abhishek Dewan,

exactly this feature for the same reasons as @Fadi I would also like to see in Enpass. It's no secret that a password is no longer considered secure these days. Also, the option of a key file is better than just a password, but as @Fadi notes, this is of no use if you have caught an encryption Trojan that encrypts all drives (including connected USB sticks). Therefore, a 2FA for Enpass itself would be a much better option. I would be very happy if this option can be implemented in a timely manner.

[Abhishek Dewan]

Hi @stefman

I can certainly understand the usefulness of the requested feature. I have shared your comments as feedback with the dedicated development team so they may consider this for future Enpass versions.

[Fadi]

Thank you @stefman and @Abhishek Dewan i hope this will be implemented very soon.

[Fadi]

Any updates about this?

[Abhishek Dewan]

Hi @Fadi

Our dedicated team is still looking into the feasibility of this feature. While I do understand the importance of the requested feature, I'm afraid I will not be able to share any ETA for the same.