My1 Posted August 17, 2020 Report Share Posted August 17, 2020 On 8/12/2020 at 4:14 PM, Ankur Gupta said: The request to add the second factor in authentication is something that is not required for Enpass because of its offline nature. Since the data is not saved on our servers, there is no requirement of the second factor for its release I wouldnt even say no requirement but most common 2FA used in the web (TOTP, SMS, U2F) would be pure snakeoil as they couldnt contribute to the encryption in any way Link to comment Share on other sites More sharing options...
Bachsau Posted August 19, 2020 Report Share Posted August 19, 2020 2FA is not snakeoil. Its purpose is to protect people in case of infected client computers. If keyloggers, viruses or packet sniffers steal your password, they can't just use it to log into your account. 2 1 Link to comment Share on other sites More sharing options...
My1 Posted August 21, 2020 Report Share Posted August 21, 2020 (edited) you need to read my message entirely, and in the context of enpass being an offline-first password manager. for access to data online 2FA is totally useful and awesome, but if you have the data already like your enpass vault on your computer, TOTP and the likes cannot add to the encryption due to the dynamic nature of the codes. you would need something like a smartcard with encryption keys for proper 2FA on offline data. a code that is dependent on the time like on TOTP, or dependent on several factors on U2F cannot be used to add encryption since you cant get that same code/data later on to add that to decryption. sorry for posting a link to my blog but I explained this in depth over there: https://blog.my1.dev/steganos-privacy-suite-19-is-a-joke TOTP and many other dynamic code formats can literally only be used to allow or deny access to something, however when the data is already sitting there, just encrypted, there's nothing you can allow or deny, as you could just either hotwire the checks in RAM to skip that part or decrypt the wallet yourself outside the password manager Edited August 21, 2020 by My1 1 Link to comment Share on other sites More sharing options...
pianoman Posted October 5, 2020 Report Share Posted October 5, 2020 In another thread I read that 2FA is on the road map. Is there any more concrete information available like upcoming release or so? Having 2FA available to login more secure into Enpass - for me it's an absolute essential feature for password managers in these times, no matter if they work online or offline. I would like to have something like a hardware token via NFC on my phone as an extra security option in addition to the master keyword. The optional key file itself - for me it's something like a device registration, because the key file i.e. is permanently 'integrated' into the mobile app. When you have 2FA and periodically executed security audits, then Enpass will be my password safe further on. Link to comment Share on other sites More sharing options...
Merlin Posted November 19, 2020 Report Share Posted November 19, 2020 Hi @Ankur Gupta, thank you for replying to this topic/thread... I would like some further explanations from you on the security details / model... Specifically since it was not tested by ISE, is Enpass ALSO vulnerable on Windows and Mac in the areas discussed in this article:https://threatpost.com/1password-dashlane-keepass-and-lastpass/142037/ THANK YOU. Sincerely, Emmanuel. Link to comment Share on other sites More sharing options...
Ankur Gupta Posted November 19, 2020 Report Share Posted November 19, 2020 Hi @Merlin There is already a forum post where we have explained about this. Thanks. Link to comment Share on other sites More sharing options...
el613 Posted March 23, 2021 Report Share Posted March 23, 2021 The last Enpass audit was in 2018. Is there any plan to repeat this audit as it is coming up to 3 years without one Thanks Link to comment Share on other sites More sharing options...
el613 Posted March 31, 2021 Report Share Posted March 31, 2021 bump Link to comment Share on other sites More sharing options...
Su30MKI Posted April 5, 2021 Report Share Posted April 5, 2021 Yes an audit with a good well recognized audit company ! not a corrupted one ! Link to comment Share on other sites More sharing options...
el613 Posted April 9, 2021 Report Share Posted April 9, 2021 @Garima Singh Link to comment Share on other sites More sharing options...
el613 Posted April 27, 2021 Report Share Posted April 27, 2021 Please can I follow this question up? Thanks Link to comment Share on other sites More sharing options...
Pratyush Sharma Posted April 28, 2021 Report Share Posted April 28, 2021 Hi @el613 I understand your concern regarding the security audit and appreciate your keenness towards Enpass. We agree with you that a security-audit plays an important role for a password manager application, and we have planned one for this year itself down the line with the release of some exciting features. Link to comment Share on other sites More sharing options...
mushroom_daddy Posted November 22, 2021 Report Share Posted November 22, 2021 On 4/28/2021 at 12:58 PM, Pratyush Sharma said: Hi @el613 I understand your concern regarding the security audit and appreciate your keenness towards Enpass. We agree with you that a security-audit plays an important role for a password manager application, and we have planned one for this year itself down the line with the release of some exciting features. So now Nov'2021 - would be unreasonable to ask for a progress update on the Security Audit that will be completed 'this year'? 2 Link to comment Share on other sites More sharing options...
caspergsht42 Posted December 4, 2021 Report Share Posted December 4, 2021 Bump ... the product cannot be considered secure without regular security audits - and done by external auditors. Link to comment Share on other sites More sharing options...
toktok Posted December 12, 2021 Report Share Posted December 12, 2021 bump Link to comment Share on other sites More sharing options...
Craig Posted February 7, 2022 Report Share Posted February 7, 2022 bump. The year is over & is now 2022... I've been lurking around Enpass for years, hoping that you might realise that without a security audit happening at regular intervals, then the product can't really be taken seriously and be recommended to others. You have a nice app and the functionalty is good. This means that I want to be able to recommend it, but your consistent lax security protocols always leave me wondering "why?" What gives with no regular security audits (every year or two)? The codebase should be stable enough to ensure that any features don't create critical or major security issues. Link to comment Share on other sites More sharing options...
Nathanael Posted February 8, 2022 Report Share Posted February 8, 2022 The app definetly needs a code audit again. Especially because it is closed source Link to comment Share on other sites More sharing options...
euphonious Posted February 18, 2022 Report Share Posted February 18, 2022 Agreed. While a security audit can be expensive, it's vital in gaining the trust of users. Unless the product is open source, an audit is all that reviewers and users can really go off of. Link to comment Share on other sites More sharing options...
wtanzer Posted May 27, 2022 Report Share Posted May 27, 2022 Any update on this? Link to comment Share on other sites More sharing options...
Nathanael Posted June 3, 2022 Report Share Posted June 3, 2022 This is a joke. On 4/28/2021 at 1:58 PM, Pratyush Sharma said: Hi @el613 I understand your concern regarding the security audit and appreciate your keenness towards Enpass. We agree with you that a security-audit plays an important role for a password manager application, and we have planned one for this year itself down the line with the release of some exciting features. Its been more than 1 year. When is it planned? Link to comment Share on other sites More sharing options...
Mohit Thapa Posted July 18, 2022 Report Share Posted July 18, 2022 Hello all, I am excited to share that recently Enpass has been audited for security of the Windows App. The complete audit report is available here on our website. Soon we’ll be starting the process for rest of the platforms. Thanks for your patience. 1 1 Link to comment Share on other sites More sharing options...
Ivarson Posted July 18, 2022 Report Share Posted July 18, 2022 4 hours ago, Mohit Thapa said: Hello all, I am excited to share that recently Enpass has been audited for security of the Windows App. The complete audit report is available here on our website. Soon we’ll be starting the process for rest of the platforms. Thanks for your patience. Excellent. Well done! Glad to see that few remarks. The HTTP-service mentioned I presume is the WiFi-Sync-part, which isn't utilized if one doesnt use wifi sync nor start the Service? Link to comment Share on other sites More sharing options...
Vinod Kumar Posted July 18, 2022 Report Share Posted July 18, 2022 23 minutes ago, Ivarson said: The HTTP-service mentioned I presume is the WiFi-Sync-part, which isn't utilized if one doesnt use wifi sync nor start the Service? WiFi sync is a different service than this. The http service mentioned is used by mobile apps for manual vault "Backup and Restore over Wi-Fi". Just because Enpass Core part (C++) is shared across all platforms, buffer overflow was found in source code audit. Desktop apps do not use this service. 1 2 Link to comment Share on other sites More sharing options...
LM77 Posted July 24, 2022 Report Share Posted July 24, 2022 On 7/18/2022 at 10:31 AM, Mohit Thapa said: Hello all, I am excited to share that recently Enpass has been audited for security of the Windows App. The complete audit report is available here on our website. Soon we’ll be starting the process for rest of the platforms. Thanks for your patience. While the audits are generally positive, various vulnerabilities were noted by the auditors; have these vulnerabilities been addressed and remediated? The audit reports make no mention of this happening... Link to comment Share on other sites More sharing options...
Mohit Thapa Posted July 26, 2022 Report Share Posted July 26, 2022 @LM77 Thank you for your question. I would like to draw your attention to the fact that on every 'Identified Vulnerabilities' found in the Audit report, a note is provided by the team (like what actions have been taken by Enpass developers to rectify it). E.g., if you look at the 'Enpass Windows App and Admin console for Business', Page-08: 1 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now