Jump to content
benitocereno

UWP App w/ Windows Hello on Desktop (TPM 2.0)

Recommended Posts

Hello,

Any plans to support desktops with TPM 2.0 for full time Windows Hello?

Unlocking after initial master password works fine, but I thought with TPM I would get full time support. Thanks for your help!

-Benitocereno

Share this post


Link to post
Share on other sites

Hi @benitocereno,

We use full time hello only when encryption keys are generated on Hardware TPM. We use standard Hello API provided by Microsoft. The API provides us something called attestation information to acquire cryptographic proof that the key is generated on the TPM. 

Please go to security settings in Enpass, than turn off and on again. If a warning is shown it means that generated keys are not TPM bound. Hence, we can't use these keys for security reasons and Windows full-time Hello unlocking feature won't be available on this device.

Share this post


Link to post
Share on other sites

Thank you Vinod!

In my case, it did not work when I toggled it. However, I had previously been using a PIN with windows before I activated the TPM. This made me think that maybe my current PIN/passport were not the hardware-generated key from the TPM, since I had not set a new PIN since I activated the TPM on my bios.

So, I removed my existing Windows PIN/Hello, created a new PIN, then toggled the setting in Enpass. Worked like a champ!

Appreciate your quick response and help. Now it's working perfectly.

 

Share this post


Link to post
Share on other sites

Thanks Vinod

but what do you mean with to turn security settings in Enpass on and off there is no setting on / off setting in my version

Capture.PNG

Share this post


Link to post
Share on other sites

Hi @Andre,

I would like to let you know that the Hello support is only available for the app which is downloaded from Windows Store. So please download Enpass from Windows Store and try again.

Cheers! 

Share this post


Link to post
Share on other sites

Anshu,

Thanks for your mail but ....

I first downloaded a trial of the program from Windows store (version 5.2) that did not work then looking around on Enpass site I saw they had a 5.3 version so I tried it maybe the problem would have been fixed ..... seems it is not !!!!!

Share this post


Link to post
Share on other sites

Hello, your app is really great!

Unfortunately, your TPM 2.0 does not work!

I have now bought a TPM 2.0 module, and it works also under Windows 10, unfortunately not in the app.
TPM-2.0

What can I do to make the app work with Windows Hello?

screen.png

Share this post


Link to post
Share on other sites

Hi @Paradoxon101,

Thanks for writing in. Please refer this answer :

On 10/11/2016 at 4:57 PM, Vinod Kumar said:

We use full time hello only when encryption keys are generated on Hardware TPM. We use standard Hello API provided by Microsoft. The API provides us something called attestation information to acquire cryptographic proof that the key is generated on the TPM. 

Please go to security settings in Enpass, than turn off and on again. If a warning is shown it means that generated keys are not TPM bound. Hence, we can't use these keys for security reasons and Windows full-time Hello unlocking feature won't be available on this device.

 
 

Hope this helps!

Cheers!

Share this post


Link to post
Share on other sites

Excuse me, but your TPM test "only when encryption keys are generated on Hardware TPM" is useless!

This test can be bypassed very easily!

I simply use a Windows Hello USB Fingerprint Reader to setup Enpass. Now i can use my simple Windows Hello PIN to unlock Enpass without TPM!

 

Now you can remove your chicane ...

Share this post


Link to post
Share on other sites

@Paradoxon101 Really? You mean to say, you are able to use full time hello with Enpass ( That doesn't asks you master password when you start Enpass app a fresh) with USB fingerprint reader? Also let me know which USB Fingerprint Reader are you using?

Share this post


Link to post
Share on other sites

Lenovo Thinkpad T530 with builtin factory fingerprint reader. TPM module v1.2 is seen in device manager. TPM is activated in the Bios.

Windows Hello works perfectly in Win10 login etc

But ENPASS when tryin the On -> Off -> On always says "due to hardware restrictions.. etc" and only logins with Hello after entering the master password once manually.

Whats wrong?

I tried also to setup Hello again but still the same warning in ENPASS. ENPASS would be perfect if you could instruct how to get the fingerprint to work? Is there a test app / site or something that could give more information, whats missing or setup wrong? I'm also willing to help and test if you need someone with Thinkpad.

These Thinkpads are really common, does anyone use T420, T430, T520 or T530 with ENPASS, does it work for you?

Share this post


Link to post
Share on other sites

Found this http://windowsitpro.com/security/checking-status-trusted-platform-module-command-line

And tried, the results are:

C:\WINDOWS\system32>wmic /namespace:\\root\cimv2\security\microsofttpm path win32_tpm get IsEnabled_InitialValue
IsEnabled_InitialValue
TRUE

C:\WINDOWS\system32>wmic /namespace:\\root\cimv2\security\microsofttpm path win32_tpm get IsActivated_InitialValue
IsActivated_InitialValue
TRUE
 
TPM 1.2 is older than 2.0 but the 2.0 is required for NEW hardware from July 2016 onwards so surely TPM 1.2 should also work with older laptops?

Share this post


Link to post
Share on other sites

Hi @Airstar,

Yes, you're right that TPM 2.0 is required for new hardware but api support for TPM 1.2 has its own limitations, and the one which is restricting the Full time Hello support on Enpass is lack of TPM key attestation info when asked for using the Microsoft provided APIs.

TPM key attestation is a protocol that cryptographically proves that a key is TPM-bound. This type of attestation can be used to guarantee that a certain cryptographic operation occurred in the TPM of a particular computer. 

We use KeyCredentialManager.RequestCreateAsync() API to get authenticated encryption keys to protect the Master password. Now, we need to check where those keys are stored. It can be on a Hardware TPM or a simulated software TPM. To get this attestation information, we use GetAttestationAsync(), which is generated by the TPM chip.

Unfortunately, Above api attestation information is only available TPM 2.0 or higher. So, in case of TPM 1.2 (one in your laptop) or a simulated software one, there will be no attestation information. We have no means to distinguish between a TPM 1.2 or software TPM.

So limitation of API is the only reason that we support full-time Hello unlocking only on devices where keys guaranteed to be bound to hardware TPM.

You can read about the related information in section 3.1 and 3.4 on https://docs.microsoft.com/en-us/windows/uwp/security/microsoft-passport#311-attestation

Hope it helps!

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

×
×
  • Create New...