Jump to content
Sign in to follow this  
lokdawg78

MFA when entering master password

Recommended Posts

It would be great if we could get multi-factor authentication when entering in the master password, especially since most users are syncing with an online file repository of some type.

Share this post


Link to post
Share on other sites

+1.  I read the FAQ, I still would feel more comfortable have a second factor to log in to enpass.  Keepass has a "keyfile", which is a file with a really long unique string as contents.  You store that file in a different location than your database.  This gives some peace of mind knowing that if some employee of these cloud based services ever got access to your enpass data file, by accident or on purpose, any local brute force master password attacks would be meaningless.  Yes I do use a long and unique master password, still would be nice.  Just my .02.

Share this post


Link to post
Share on other sites

IMHO it currently already is two-factor. The first factor is access to the (encrypted!) file. So you usually need username/password to even access WebDAV (or whatever cloud storage you use). So an attacker first has to get past that. If he/she manages that, the file is still encrypted with your master password.

I handle it via NextCloud. My account there is protected with a second factor and for each individual Enpass installation I generate an application password to use (since I obviously cannot use a TOTP token for sync). I guess you cannot be much safer than that. And that is nothing that Enpass can change.

Share this post


Link to post
Share on other sites

I use icloud.  I'm not concerned with anyone external outside of Apple accessing my files, as you are correct, that is already 2 factor.  I have no idea, no clue, how Apple handles access to data internally, nor who is in charge, nor who could theoretically access files, nor if these people have ill intent.  And I can never know this, nor can anyone outside of apple, and outside of the cloud security people.  Every company, especially one as large as Apple, is a microcosm of society, so you can bet there are now thieves employed there.  I don't know, nor can I ever find out, if any single person can access my files there, especially from someone who would be very happy with getting a copy of an enpass file, secretly.  And although my password is long and unique, I really don't know how long a brute force attack could take.  And as a person here said, keyloggers etc, and it being an apple computer I use, and the extreme sensitive nature of this file, just puts enough doubt there for me to prefer that a single password could access hundreds outside of my control.  Like I said, the author of Keepass thought it enough of a concern to put the "keyfile" feature in, which IMO would suffice.  In fact I would use keepass instead on my mac if there were a decent mac port.  But I do like the enpass interface better actually, just this one point gives me slight pause with using it.  I still maintain it would offer that much more protection, and the "keyfile" like feature doesn't seem like it would be super difficult to implement from a software standpoint.

Share this post


Link to post
Share on other sites

Well, the online password managers I know (1Password, LastPass, Bitwarden) don't support a higher level of security as well. They use your master password (well, a derivation of it) together with an optional second factor (for example TOTP) to grant you access to the encrypted storage (that is basically the same as the webdav/icloud password in your case) and then the encrypted data gets decrypted locally using your masterpassword. So from that standpoint you should not be more insecure than with these solutions ... only difference being that you have complete control over storage (you ware not forced to use icloud :-)) and that enpass works 100% offline as well. If you simply stop synchronizing with icloud, your local file is still fine.

Anyway: Enpass 6 has keyfile support. If you enable that (for a vault), you then need that together with your master password. Is this maybe enough to cover your case(s)? Then give the Enpass 6 beta a shot. For me it works reliably enough already and afaik the final versions should not be that far out. (Plus: I like the multi vault support!)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×