Implement FIDO2 / SQRL 2FA to Login

[chribonn]

Hi,

Can you consider adding support for 2FA functionality to log into Enpass.  Today they are protocols (I mentioned 2 in the subject line) that can be used.

This would allow first login into enpass without having to provide the 1st password.

Regards,

 

[Guest Vikram Dabas]

Hi @chribonn

Thanks for the suggestion. Actually, Enpass is an offline password manager and doesn’t keep any of your information on any cloud/server. Two factor authentication is generally used in online services where the requested data is transmitted after validating the user through a second factor (generally an OTP on phone or email) and works as an extra protection, which is not at all required in case of offline services as your data is with you only.

Also, being offline is not a limitation of Enpass but gives you a peace of mind that your data is with you only. But to add extra randomness to your Master Password, you can use a KeyFile in Enpass. A KeyFile gets appended to your Master Password before the actual encryption or decryption of your data happens. So, even if someone, somehow gets access to your data and your Master password is also compromised (a worst case scenario), your data is still safe as the KeyFile is required to decrypt or access your data.

[chribonn]

Hello @Vikram,

I would like to experiment with the KeyFile functionality.  Do you have documentation I can follow to try this out?

With respect to SQRL this is an free open source method of user authentication.  I've attached a snapshot from the documentation.

Thanks

PS: Please note that I am not associated with this project in any way.

Edited July 12, 2019 by chribonn

[seventhose]

On 7/12/2019 at 6:08 AM, Vikram Dabas said:

Hi @chribonn

Thanks for the suggestion. Actually, Enpass is an offline password manager and doesn’t keep any of your information on any cloud/server. Two factor authentication is generally used in online services where the requested data is transmitted after validating the user through a second factor (generally an OTP on phone or email) and works as an extra protection, which is not at all required in case of offline services as your data is with you only.

Also, being offline is not a limitation of Enpass but gives you a peace of mind that your data is with you only. But to add extra randomness to your Master Password, you can use a KeyFile in Enpass. A KeyFile gets appended to your Master Password before the actual encryption or decryption of your data happens. So, even if someone, somehow gets access to your data and your Master password is also compromised (a worst case scenario), your data is still safe as the KeyFile is required to decrypt or access your data.

2FA like fido2 can prevent from a keylogger virus/attack and I think you have to consider it.

[Hitman]

On 10/22/2019 at 4:03 PM, seventhose said:

2FA like fido2 can prevent from a keylogger virus/attack and I think you have to consider it.

No, it can't. 2FA relies on the server side being in control and unmodifyable. Since Enpass works offline, all the necessary data and checks are on your machine. So an attacker can manipulate everything to his liking (system clock, etc.). Whatever second factor you choose, its secrets would have to be stored on your machine (as part of your vault) and would be protected with your password. Once this has been logged and the attacker has access to your files (which in your scenario he has), he can unlock the secrets and simply calculate the second factor. You gain no real security; you simply cost your attacker 5 more minutes of his time.