How can I force Windows Hello sign in instead of Masterpassword?

[Damasta]

Hi all, I onboarded a non-technical friend to Enpass Windows and Android. She used Biometric sign-in for a while - until Enpass simply stopped offering to use Windows Hello and biometrics on Windows AND Android for no obvious reason.
(Why does that even happen?)

She always signs in to her device using biometrics, so she is authenticated and trusted. Also, her device is trusted. And Windows Hello is, by definition, MFA. So it should be significantly safer than the master password alone. How can we force Windows Hello unlock instead of Master-Password?

She can't remember the correct master password, so she's locked out of all of her accounts - unless she can use Windows Hello to get back in.

Thanks for any and all help!

Edited January 28, 2023 by Damasta

[Abhishek Dewan]

Hi @Damasta

For security purposes, Enpass may occasionally prompt you to enter your master password or in certain situations, like after unsuccessful verification attempts via Face ID/biometrics/Windows Hello. Also, I'm afraid there is no way to recover a lost master password, as the master password is not saved anywhere. All your data is totally under your control, and we have no access to it. This is to ensure the best and optimum security for your confidential data.

 

However, if they have the Enpass application on any other of your devices with faceid/biometrics enabled and you can access Enpass through it, please let me know, and I will try to help you recover the data and reset the master password. Once done, Face ID/biometric/Windows Hello options can be enabled again from Enpass Settings -> Security.

[Damasta]

Thanks for the disappointing answer. Please understand that we/I are frustrated that Enpass appears to make our life more difficult, not easier.

Here's why:

1. Enpass stopped accepting biometric sign in on ALL her devices - both Windows and Android. So we have no biometric recourse.

2. I understand the master password is gone, permanently. And no one on the planet can help us recover it. Which is why I didn't ask to recover the master password, I asked to restore biometric sign-in, which is already established on trusted devices and works fine for all other apps.

3. I am quite familiar with Windows Hello. AFAIK, it does not signal failed sign-in attempts to the requesting service, only successful ones. Enpass can't know whether sign-in failed or not. Especially not on devices with Hello Face Recognition, where there is always a fall-back to the device PIN, making Hello sign-in 100% successful every time.

4.  Why does Enpass take it upon itself to determine whether a third-party (!) biometric security solution can be trusted? That should not be Enpass' concern - ever. 

5. Windows Hello is, by definition SAFER than Enpass Master Password. Device-based biometrics (on Android also) are, by definition, Multi-Factor, whereas the Master Password is single-factor. So by turning Biometric MFA off without user consent, you weaken security. Also without user consent.
Claiming that you are improving security by periodically requiring the master-password and defaulting to single-factor-auth. seems counter-intuitive.

Given this design flaw, I (as a paying user) request one of two things:

a.) Provide an unsupported private build (!) for me/us that has Windows Hello force-enabled. We will use this to re-gain access and set a new master-password. After that, we re-install a supported public build from the Store/Play.

b.) Change Enpass to NEVER disable biometric MFA without user consent. At the very least, provide a user-configurable option, which, by default, is set to NEVER disable biometric MFA, regardless of the circumstances. Make sure that when this update rolls out, it will automatically re-enable biometric sign-in wherever it was turned off.
Alternatively, move the vault-unlock sign-in into the app, so that we can start the app and access the settings without unlocking the vault. Require vault sign-in when the user wants to access their vault, not before the app starts. 

Edited January 30, 2023 by Damasta

[Jameswalter]

Remove PIN on Windows 10
Open Settings on Windows 10.
Click on Accounts.
Click on Sign-in options.
Turn off the “Require Windows Hello sign-in for Microsoft accounts” toggle switch. 
Under the “Manage how your sign in to your device” section, select the “Windows Hello PIN” option.
Click the Remove button to remove the PIN on Windows 10.
Click the Remove button again.
Confirm the current password.
Click the OK button.

 

Regards,
James

[Abhishek Dewan]

Hi @Damasta

I can certainly understand your disappointment in this matter.

Due to the nature of Enpass being an offline password manager, it is important to create a strong but memorable password that you do not store anywhere that it could be discovered. Enpass cannot recover lost or forgotten Master Passwords. All your data is under your exclusive control. If your Master Password is lost, Enpass should be reset so you can start over as a new user.

Although we provide our users with the advantage of accessing the app through various means like PIN/Face ID/biometrics, we strongly recommend remembering your master password and keeping it safe. Having said that, I have duly noted your comments for future consideration.

[Damasta]

7 hours ago, Jameswalter said:

Remove PIN on Windows 10
Open Settings on Windows 10.
Click on Accounts.
Click on Sign-in options.
Turn off the “Require Windows Hello sign-in for Microsoft accounts” toggle switch. 
Under the “Manage how your sign in to your device” section, select the “Windows Hello PIN” option.
Click the Remove button to remove the PIN on Windows 10.
Click the Remove button again.
Confirm the current password.
Click the OK button.

 

Regards,
James

Hi James, thanks for your suggestion.

However, I don't see how turning Windows Hello off will let us re-gain access to the app? We do not remember the master password, since, for a long time, it was not necessary. And users being human tend to forget stuff they don't use for a longer time.

My request was to force Windows Hello ON in Enpass, so we can authenticate using the established, trusted MFA of Windows Hello - not the unsafe, single-factor sign-in of Master Password.

[Damasta]

3 hours ago, Abhishek Dewan said:

Hi @Damasta

I can certainly understand your disappointment in this matter.

Due to the nature of Enpass being an offline password manager, it is important to create a strong but memorable password that you do not store anywhere that it could be discovered. Enpass cannot recover lost or forgotten Master Passwords. All your data is under your exclusive control. If your Master Password is lost, Enpass should be reset so you can start over as a new user.

Although we provide our users with the advantage of accessing the app through various means like PIN/Face ID/biometrics, we strongly recommend remembering your master password and keeping it safe. Having said that, I have duly noted your comments for future consideration.

Abishek, thanks again.

"Offline" is ... an interesting point of view. After all, Enpass supports various cloud and network storage locations for vaults.

Also, if my data is under my exclusive control, then do not meddle in the authentication mechanisms I choose for my data. Turning off biometrics without warning, user consent or any recourse is highly disruptive to say the least, and ultra-destructive in the worst case.
Do you realize this is like my bank removing access to my money and other valuable property without my consent?

The moment I switch my authentication of choice to the OS' biometric MFA framework (based on your advertised functionality), the master password became obsolete. With Enpass unilaterally reverting that choice, you have blocked access to valuable (potentially vital!) data. Selecting my authentication method to my data should not be Enpass' choice, it should be mine.

No place in your documentation, guides, FAQ or even this forum seem to indicate that Windows Hello simply turns off ever so often. Your claim above "For security purposes, Enpass may occasionally prompt you to enter your master password or in certain situations, like after unsuccessful verification attempts via Face ID/biometrics/Windows Hello." is undocumented. Hence, you took a supported feature away.

But regardless, that is beside the point. I am NOT asking to recover the master password.

I AM asking to force-enable Windows Hello again which worked fine - until Enpass turned it off for no reason and without my consent.

Enpass claims to support Windows Hello - please do so at this time and restore Enpass' advertised (and my paid for) ability to use Windows Hello.

Please don't force me to post this circumstance to Google Play and MS Store reviews. But I will, as Enpass currently seems to be a positive danger to use. I will also switch my own keystore to something I can rely on 100% and stop recommending Enpass to clients, friends and family.

[Jameswalter]

To turn on Windows Hello
Go to Start > Settings > Accounts > Sign-in options.
Select the Windows Hello method that you want to set up,
Select Set up.
 

[Damasta]

On 2/27/2023 at 9:02 AM, Jameswalter said:

To turn on Windows Hello
Go to Start > Settings > Accounts > Sign-in options.
Select the Windows Hello method that you want to set up,
Select Set up.
 

Thanks James.

No offence, but I've been using Windows Hello Since Windows 10 launched back in 2015. I know how to turn it on and use it.

But obviously, Enpass does NOT. While all other apps and services happily use Windows Hello on all my devices, Enpass appears to be the only one that arbitrarily decides to stop using it - locking unsuspecting, non-technical users out of their most important assets: their digital access methods.

And judging by Abishek's responses it seems to be "by design". That is, apologies for the ranting and venting, stupid. Every security expert will tell you these days that invalidating access periodically (reasons are irrelevant) and forcing users to re-new or re-configure their access is a security RISK. Because it encourages users to (re-)use simple, easy to remember passwords instead of complex passwords that they can set and forget. Or better yet, not use passwords at all any more.

From a professional as well as a noob standpoint, this user experience is wrong and rotten. I am evaluating other products for friends and family and myself of course as we speak.