Jump to content
Enpass Discussion Forum

UWP App w/ Windows Hello on Desktop (TPM 2.0)


benitocereno

Recommended Posts

Hi @benitocereno,

We use full time hello only when encryption keys are generated on Hardware TPM. We use standard Hello API provided by Microsoft. The API provides us something called attestation information to acquire cryptographic proof that the key is generated on the TPM. 

Please go to security settings in Enpass, than turn off and on again. If a warning is shown it means that generated keys are not TPM bound. Hence, we can't use these keys for security reasons and Windows full-time Hello unlocking feature won't be available on this device.

Link to comment
Share on other sites

Thank you Vinod!

In my case, it did not work when I toggled it. However, I had previously been using a PIN with windows before I activated the TPM. This made me think that maybe my current PIN/passport were not the hardware-generated key from the TPM, since I had not set a new PIN since I activated the TPM on my bios.

So, I removed my existing Windows PIN/Hello, created a new PIN, then toggled the setting in Enpass. Worked like a champ!

Appreciate your quick response and help. Now it's working perfectly.

 

Link to comment
Share on other sites

Anshu,

Thanks for your mail but ....

I first downloaded a trial of the program from Windows store (version 5.2) that did not work then looking around on Enpass site I saw they had a 5.3 version so I tried it maybe the problem would have been fixed ..... seems it is not !!!!!

Link to comment
Share on other sites

  • 3 weeks later...

Hi @Paradoxon101,

Thanks for writing in. Please refer this answer :

On 10/11/2016 at 4:57 PM, Vinod Kumar said:

We use full time hello only when encryption keys are generated on Hardware TPM. We use standard Hello API provided by Microsoft. The API provides us something called attestation information to acquire cryptographic proof that the key is generated on the TPM. 

Please go to security settings in Enpass, than turn off and on again. If a warning is shown it means that generated keys are not TPM bound. Hence, we can't use these keys for security reasons and Windows full-time Hello unlocking feature won't be available on this device.

 
 

Hope this helps!

Cheers!

Link to comment
Share on other sites

Excuse me, but your TPM test "only when encryption keys are generated on Hardware TPM" is useless!

This test can be bypassed very easily!

I simply use a Windows Hello USB Fingerprint Reader to setup Enpass. Now i can use my simple Windows Hello PIN to unlock Enpass without TPM!

 

Now you can remove your chicane ...

Link to comment
Share on other sites

  • 2 months later...

Lenovo Thinkpad T530 with builtin factory fingerprint reader. TPM module v1.2 is seen in device manager. TPM is activated in the Bios.

Windows Hello works perfectly in Win10 login etc

But ENPASS when tryin the On -> Off -> On always says "due to hardware restrictions.. etc" and only logins with Hello after entering the master password once manually.

Whats wrong?

I tried also to setup Hello again but still the same warning in ENPASS. ENPASS would be perfect if you could instruct how to get the fingerprint to work? Is there a test app / site or something that could give more information, whats missing or setup wrong? I'm also willing to help and test if you need someone with Thinkpad.

These Thinkpads are really common, does anyone use T420, T430, T520 or T530 with ENPASS, does it work for you?

Link to comment
Share on other sites

Found this http://windowsitpro.com/security/checking-status-trusted-platform-module-command-line

And tried, the results are:

C:\WINDOWS\system32>wmic /namespace:\\root\cimv2\security\microsofttpm path win32_tpm get IsEnabled_InitialValue
IsEnabled_InitialValue
TRUE

C:\WINDOWS\system32>wmic /namespace:\\root\cimv2\security\microsofttpm path win32_tpm get IsActivated_InitialValue
IsActivated_InitialValue
TRUE
 
TPM 1.2 is older than 2.0 but the 2.0 is required for NEW hardware from July 2016 onwards so surely TPM 1.2 should also work with older laptops?
Link to comment
Share on other sites

Hi @Airstar,

Yes, you're right that TPM 2.0 is required for new hardware but api support for TPM 1.2 has its own limitations, and the one which is restricting the Full time Hello support on Enpass is lack of TPM key attestation info when asked for using the Microsoft provided APIs.

TPM key attestation is a protocol that cryptographically proves that a key is TPM-bound. This type of attestation can be used to guarantee that a certain cryptographic operation occurred in the TPM of a particular computer. 

We use KeyCredentialManager.RequestCreateAsync() API to get authenticated encryption keys to protect the Master password. Now, we need to check where those keys are stored. It can be on a Hardware TPM or a simulated software TPM. To get this attestation information, we use GetAttestationAsync(), which is generated by the TPM chip.

Unfortunately, Above api attestation information is only available TPM 2.0 or higher. So, in case of TPM 1.2 (one in your laptop) or a simulated software one, there will be no attestation information. We have no means to distinguish between a TPM 1.2 or software TPM.

So limitation of API is the only reason that we support full-time Hello unlocking only on devices where keys guaranteed to be bound to hardware TPM.

You can read about the related information in section 3.1 and 3.4 on https://docs.microsoft.com/en-us/windows/uwp/security/microsoft-passport#311-attestation

Hope it helps!

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
×
×
  • Create New...