Enpass facilitate easy unlocking of keychain through biometrics authorization using fingerprint or face recognition. However, Enpass still requires the master password to decrypt the database where various OS provided hardware protection APIs help us to protect your master password that can only be revealed after biometric authentication.
Touch-ID on iOS¶
iOS Keychain provides a way to store app-specific sensitive data that can only be accessed by that app. When you enable Touch ID or PIN Code on your iOS 8 or later device, Enpass stores an obfuscated version of your master password in iOS Keychain that can only be accessed by Enpass. In any case, your master password does not leave the device; neither during the backup of iTunes nor of iCloud Keychain.
We have restricted the quick unlock (Touch-ID or PIN) that can only be enabled if you have setup a device passcode. Setting up a device passcode ensures that all the data (including the saved master password) in iOS keychain is encrypted. When you disable device passcode, quick unlock also gets disabled removing all the saved data.
Also, if three consecutive attempts to unlock using PIN or Touch-ID are unsuccessful, Enpass erases the master password from the iOS keychain and prompts to enter master password to unlock Enpass. On next successful attempt, it is saved again in the iOS keychain. If you disable quick unlock from Enpass settings, Enpass erases the master password from the iOS keychain.
Fingerprint in Android¶
Android 6.0 or later, provides a new Fingerprint API along with enhancement in Android Keystore which is reliable enough to protect our master password. As soon as you enable Fingerprint from Enpass settings on your device, we create a Fingerprint authenticated, Enpass specific random encryption/decryption key in Android Keystore (accessible to Enpass only) and encrypt your master password using this key and store in private area in the device storage. This solution is highly secure because your master password is accessible for use, only after it gets decrypted using the same key stored in the Android Keystore. And that key (in a usable format) can only be retrieved when you authenticate Enpass with your Fingerprints. This is so secure that even if someone gets access to your Android device passcode and legally adds his fingerprints in the phone, Android immediately invalidates all the encryption/decryption keys and makes them unusable. Even when in use, Enpass will detect this and will automatically disable Fingerprint in Enpass settings and remove your master password.
Windows Hello in Windows 10¶
Modern Windows phone devices have both biometric and TPM hardware. Thanks to Windows Hello as both can be utilized to solve the purpose reliably enough. As soon as you enable Windows Hello on a supported device, we create Windows Hello authenticated Enpass specific cryptographic keys in TPM and encrypt your master password using those keys and store in app’s private area on device storage. This solution is highly secure because your master password is accessible for use, only after it gets decrypted using the same keys stored in the TPM of your device. And those keys can only be retrieved when you authenticate the Enpass with the Windows Hello.