Jump to content
Enpass Discussion Forum

Implement FIDO2 / SQRL 2FA to Login


chribonn

Recommended Posts

Hi,

Can you consider adding support for 2FA functionality to log into Enpass.  Today they are protocols (I mentioned 2 in the subject line) that can be used.

This would allow first login into enpass without having to provide the 1st password.

Regards,

 

Link to comment
Share on other sites

Guest Vikram Dabas

Hi @chribonn

Thanks for the suggestion. Actually, Enpass is an offline password manager and doesn’t keep any of your information on any cloud/server. Two factor authentication is generally used in online services where the requested data is transmitted after validating the user through a second factor (generally an OTP on phone or email) and works as an extra protection, which is not at all required in case of offline services as your data is with you only.

Also, being offline is not a limitation of Enpass but gives you a peace of mind that your data is with you only. But to add extra randomness to your Master Password, you can use a KeyFile in Enpass. A KeyFile gets appended to your Master Password before the actual encryption or decryption of your data happens. So, even if someone, somehow gets access to your data and your Master password is also compromised (a worst case scenario), your data is still safe as the KeyFile is required to decrypt or access your data.

Link to comment
Share on other sites

Hello @Vikram,

I would like to experiment with the KeyFile functionality.  Do you have documentation I can follow to try this out?

With respect to SQRL this is an free open source method of user authentication.  I've attached a snapshot from the documentation.

Thanks

PS: Please note that I am not associated with this project in any way.

SQRL.PNG

Edited by chribonn
Link to comment
Share on other sites

  • 3 months later...
On 7/12/2019 at 6:08 AM, Vikram Dabas said:

Hi @chribonn

Thanks for the suggestion. Actually, Enpass is an offline password manager and doesn’t keep any of your information on any cloud/server. Two factor authentication is generally used in online services where the requested data is transmitted after validating the user through a second factor (generally an OTP on phone or email) and works as an extra protection, which is not at all required in case of offline services as your data is with you only.

Also, being offline is not a limitation of Enpass but gives you a peace of mind that your data is with you only. But to add extra randomness to your Master Password, you can use a KeyFile in Enpass. A KeyFile gets appended to your Master Password before the actual encryption or decryption of your data happens. So, even if someone, somehow gets access to your data and your Master password is also compromised (a worst case scenario), your data is still safe as the KeyFile is required to decrypt or access your data.

2FA like fido2 can prevent from a keylogger virus/attack and I think you have to consider it.

Link to comment
Share on other sites

On 10/22/2019 at 4:03 PM, seventhose said:

2FA like fido2 can prevent from a keylogger virus/attack and I think you have to consider it.

No, it can't. 2FA relies on the server side being in control and unmodifyable. Since Enpass works offline, all the necessary data and checks are on your machine. So an attacker can manipulate everything to his liking (system clock, etc.). Whatever second factor you choose, its secrets would have to be stored on your machine (as part of your vault) and would be protected with your password. Once this has been logged and the attacker has access to your files (which in your scenario he has), he can unlock the secrets and simply calculate the second factor. You gain no real security; you simply cost your attacker 5 more minutes of his time.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...