August 17, 20205 yr On 8/12/2020 at 4:14 PM, Ankur Gupta said: The request to add the second factor in authentication is something that is not required for Enpass because of its offline nature. Since the data is not saved on our servers, there is no requirement of the second factor for its release I wouldnt even say no requirement but most common 2FA used in the web (TOTP, SMS, U2F) would be pure snakeoil as they couldnt contribute to the encryption in any way
August 19, 20205 yr 2FA is not snakeoil. Its purpose is to protect people in case of infected client computers. If keyloggers, viruses or packet sniffers steal your password, they can't just use it to log into your account.
August 21, 20205 yr you need to read my message entirely, and in the context of enpass being an offline-first password manager. for access to data online 2FA is totally useful and awesome, but if you have the data already like your enpass vault on your computer, TOTP and the likes cannot add to the encryption due to the dynamic nature of the codes. you would need something like a smartcard with encryption keys for proper 2FA on offline data. a code that is dependent on the time like on TOTP, or dependent on several factors on U2F cannot be used to add encryption since you cant get that same code/data later on to add that to decryption. sorry for posting a link to my blog but I explained this in depth over there: https://blog.my1.dev/steganos-privacy-suite-19-is-a-joke TOTP and many other dynamic code formats can literally only be used to allow or deny access to something, however when the data is already sitting there, just encrypted, there's nothing you can allow or deny, as you could just either hotwire the checks in RAM to skip that part or decrypt the wallet yourself outside the password manager Edited August 21, 20205 yr by My1
October 5, 20205 yr In another thread I read that 2FA is on the road map. Is there any more concrete information available like upcoming release or so? Having 2FA available to login more secure into Enpass - for me it's an absolute essential feature for password managers in these times, no matter if they work online or offline. I would like to have something like a hardware token via NFC on my phone as an extra security option in addition to the master keyword. The optional key file itself - for me it's something like a device registration, because the key file i.e. is permanently 'integrated' into the mobile app. When you have 2FA and periodically executed security audits, then Enpass will be my password safe further on.
November 19, 20205 yr Hi @Ankur Gupta, thank you for replying to this topic/thread... I would like some further explanations from you on the security details / model... Specifically since it was not tested by ISE, is Enpass ALSO vulnerable on Windows and Mac in the areas discussed in this article:https://threatpost.com/1password-dashlane-keepass-and-lastpass/142037/ THANK YOU. Sincerely, Emmanuel.
November 19, 20205 yr Hi @Merlin There is already a forum post where we have explained about this. Thanks.
March 23, 20215 yr The last Enpass audit was in 2018. Is there any plan to repeat this audit as it is coming up to 3 years without one Thanks
April 28, 20214 yr Hi @el613 I understand your concern regarding the security audit and appreciate your keenness towards Enpass. We agree with you that a security-audit plays an important role for a password manager application, and we have planned one for this year itself down the line with the release of some exciting features.
November 22, 20214 yr On 4/28/2021 at 12:58 PM, Pratyush Sharma said: Hi @el613 I understand your concern regarding the security audit and appreciate your keenness towards Enpass. We agree with you that a security-audit plays an important role for a password manager application, and we have planned one for this year itself down the line with the release of some exciting features. So now Nov'2021 - would be unreasonable to ask for a progress update on the Security Audit that will be completed 'this year'?
December 4, 20214 yr Bump ... the product cannot be considered secure without regular security audits - and done by external auditors.
February 7, 20224 yr bump. The year is over & is now 2022... I've been lurking around Enpass for years, hoping that you might realise that without a security audit happening at regular intervals, then the product can't really be taken seriously and be recommended to others. You have a nice app and the functionalty is good. This means that I want to be able to recommend it, but your consistent lax security protocols always leave me wondering "why?" What gives with no regular security audits (every year or two)? The codebase should be stable enough to ensure that any features don't create critical or major security issues.
February 8, 20224 yr The app definetly needs a code audit again. Especially because it is closed source
February 18, 20224 yr Agreed. While a security audit can be expensive, it's vital in gaining the trust of users. Unless the product is open source, an audit is all that reviewers and users can really go off of.
June 3, 20223 yr This is a joke. On 4/28/2021 at 1:58 PM, Pratyush Sharma said: Hi @el613 I understand your concern regarding the security audit and appreciate your keenness towards Enpass. We agree with you that a security-audit plays an important role for a password manager application, and we have planned one for this year itself down the line with the release of some exciting features. Its been more than 1 year. When is it planned?
July 18, 20223 yr Hello all, I am excited to share that recently Enpass has been audited for security of the Windows App. The complete audit report is available here on our website. Soon we’ll be starting the process for rest of the platforms. Thanks for your patience.
July 18, 20223 yr 4 hours ago, Mohit Thapa said: Hello all, I am excited to share that recently Enpass has been audited for security of the Windows App. The complete audit report is available here on our website. Soon we’ll be starting the process for rest of the platforms. Thanks for your patience. Excellent. Well done! Glad to see that few remarks. The HTTP-service mentioned I presume is the WiFi-Sync-part, which isn't utilized if one doesnt use wifi sync nor start the Service?
July 18, 20223 yr 23 minutes ago, Ivarson said: The HTTP-service mentioned I presume is the WiFi-Sync-part, which isn't utilized if one doesnt use wifi sync nor start the Service? WiFi sync is a different service than this. The http service mentioned is used by mobile apps for manual vault "Backup and Restore over Wi-Fi". Just because Enpass Core part (C++) is shared across all platforms, buffer overflow was found in source code audit. Desktop apps do not use this service.
July 24, 20223 yr On 7/18/2022 at 10:31 AM, Mohit Thapa said: Hello all, I am excited to share that recently Enpass has been audited for security of the Windows App. The complete audit report is available here on our website. Soon we’ll be starting the process for rest of the platforms. Thanks for your patience. While the audits are generally positive, various vulnerabilities were noted by the auditors; have these vulnerabilities been addressed and remediated? The audit reports make no mention of this happening...
July 26, 20223 yr @LM77 Thank you for your question. I would like to draw your attention to the fact that on every 'Identified Vulnerabilities' found in the Audit report, a note is provided by the team (like what actions have been taken by Enpass developers to rectify it). E.g., if you look at the 'Enpass Windows App and Admin console for Business', Page-08:
Create an account or sign in to comment