Jump to content
Enpass Discussion Forum

Please add 2FA to enpass vaults


Fadi
 Share

Recommended Posts

As i have been using enpass for past several months i even got to know about enpass key file to enhance vault security but there are still few concerns which i am about to share.

1: for security new users do not know about enpass key and once a new user have created primary vault then it is almost not possible for them to move to another vault and keep primary vault without enpass key. There is no option to set or change default primary vault if i want to.

2: Even if you have created primary vault with enpass key it can be hacked very easily. Enpass Database + keyfile is located on same system once a hacker got into your pc using RAT which is very common scenario they can access your all files in drive and using key logger they can capture your password for enpass. So when a hacker have access to a pc having enpass keyfile does not make it secure. I am a security researcher and i know what i am talking about. Now a days malware have became so intelligent they can be asked to find specific file on that computer or even on that network and once they find name of extension matching file it can be uploaded to hacker's server. having 2FA on Authy or Google Authenticator or which ever you use is much more reliable way to add an extra layer of security to your enpass vault.

 

Why don't we put a 2FA by default for primary vault? Even if it is protected by key file on new device vault must ask for 2FA code? It can be implemented and user gets to choose if they want keyfile and 2FA both activated or only key file or only 2FA.

 

I have tested the scenario (2) explained above using my personal computers and i was able to access it very easily. It is my humble request to add this 2FA including keyfile to make enpass more secure and a single keyfile and a password is not enough to secure it. even if we keep keyfile on a USB drive our vault needs it and when we will connect our USB to that pc for vault unlocking it can be accessed by hackers like all other normal drives.

Also please add feature to change primary vault if someone creates a new vault with keyfile or how ever there must be an option to change primary vault. I hope i am not missing anything and was able to explain it clearly but if i am missing something please do let me know.

Edited by Fadi
  • Like 1
Link to comment
Share on other sites

Hi @Fadi

I certainly understand your point and would like to share that the Keyfile that Enpass generates contains a secret key that gets appended to the master password, and the combination of the two is used to encrypt the Enpass data. It is, of course, very important that you never lose the Keyfile and save it in a secure location. 

Security researchers advise that the Keyfile with a good amount of entropy ensures higher security to your data. Password entropy predicts how difficult it is to crack a given password through guessing or brute force cracking. Enpass generates high entropy random data for Keyfile using Cryptographically Secure Random Number Generator which make every brute-force attack infeasible.

Moreover, I have also duly noted your comments and have shared it with the dedicated development team so they may check the feasibility of your request and implement it for future Enpass versions. Thanks for your patience in the meantime.

#SI-2713

Link to comment
Share on other sites

@Abhishek DewanThank you for your concern but once a system is hacked and hacker got all files of enpass and he keylog that system there is no point in bruteforcing as he already have password and can unlock vault. Adding 2FA to secure it more will be a better way even if a hacker got keyfile, vault and password he still must need 2FA code to access that vault.

Link to comment
Share on other sites

Hello @Abhishek Dewan,

exactly this feature for the same reasons as @Fadi I would also like to see in Enpass. It's no secret that a password is no longer considered secure these days. Also, the option of a key file is better than just a password, but as @Fadi notes, this is of no use if you have caught an encryption Trojan that encrypts all drives (including connected USB sticks). Therefore, a 2FA for Enpass itself would be a much better option. I would be very happy if this option can be implemented in a timely manner.

Link to comment
Share on other sites

  • 3 weeks later...
  • 3 weeks later...

Hi,

I agree, with this post entirely. I think 2FA should be implemented as soon as possible as it is the biggest security issue with Enpass and the only reason why I haven't fully converted to Enpass from my current provider.

I find it a bit strange that a vault of the most important information we own (passwords) wouldn't offer this as standard and that Enpass can offer one-time passcodes for lots of sites but this can't be in it's own app?

Even for now if you could implement 2FA via a phone text until a real authenticator such as Authy or similar can be used in the future.

 

 

Link to comment
Share on other sites

  • 1 month later...

Well since past 2 years i have been using enpass and it worked as expected but some how it was lack in security of data as i described it few months ago in this thread below

I have been waiting for Enpass team to get it done but it seems there is no chance of getting 2FA any sooner and i have ended up deciding to stop using enpass until it gets this feature as there is no point is using something what it is supposed to do at it's best but this issue regarding stealing data and password from enpass using malware is scaring me. Thank you enpass team for listening to my requests. Even though I am a lifetime subscriber I am going to stop using it. Sad to leave enpass and moving to other much secure option as i am a security freak and my 20 years of online experience dosn't allow me to use something unsecure as enpass. Have a great future and will see if enpass gets much more secure than maybe some day i will move back to it but until than BYE BYE

Link to comment
Share on other sites

Hi @Fadi

Enpass team apologizes for this issue. We always strive to improve our app, based on regular customer feedback, so that it meets every user's needs. 

 

As mentioned previously, Enpass' data is fully encrypted by 256-bit AES encryption with 100,000 rounds of PBKDF2-HMAC-SHA512 using the peer-reviewed and open-source encryption engine SQLCipher, an open-source, peer-reviewed encryption engine. Additionally, we offer our users the option of adding a Keyfile as an additional layer of security.

 

In response to your feedback, I've already informed Enpass' development team about adding Multi-Factor Authentication to Enpass Vaults, Unfortunately, I'm not yet able to provide a specific timeframe for this particular feature request since a variety of factors influence the removal, implementation, or improvement of an app feature (feasibility, demand, or other factors).

 

Your patience and loyalty in being with us are always appreciated. For more information, please do reply to us at support@enpass.io, we are just an email away!

Link to comment
Share on other sites

Well, that's a shame. I think the fact that this thread is two years old and still not implemented is a pretty obvious sign that Enpass isn't prioritizing this and the reason I've stopped using it.

I understand that things like this take time, but two years for 2FA on a password manager (the one thing you want to be secure) is far too long. Nearly all of your competitors offer this as standard. This is too long, in my opinion. 

Link to comment
Share on other sites

  • 2 weeks later...

Hi @Abhishek Dewan,

I can understand @Fadi and also understand the decision. I must also honestly say that because of this missing feature, I can no longer guarantee to stay with Enpass forever. You know that a password (what you know) alone is no longer considered secure nowadays. Yes, Enpass uses the key file as a second factor (which it must have) but that is honestly too easy to compromise. If you follow your update cycle, version 6.9.0 should be coming soon and version 7.0.0 sometime in May / June 2023. Maybe your developers will manage to implement 2FA for Enpass themselves by then. That would be a great feature for version 7.0.0, right?

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...