Enpass facilitate easy unlocking of data through biometrics authorization using fingerprint or face recognition. However, Enpass still requires the master password to decrypt the database where various OS provided hardware protection APIs help us to protect your master password that can only be revealed after biometric authentication.
Biometric and PIN on iOS¶
iOS Keychain provides a way to store app-specific sensitive data that can only be accessed by that app. When you enable Biometric or PIN on your device, Enpass stores an obfuscated version of your master password in iOS Keychain that can only be accessed by Enpass. In any case, your master password does not leave the device; neither during the backup of iTunes nor of iCloud Keychain.
Unlocking through Biometrics uses an addition protection of Secure Enclave. Secure Enclave lock the saved master password in such a way that it can be only accessible after a successful biometric authentication. This is so secure that even if someone gets access to your device passcode and legally adds his fingerprints in the phone, iOS immediately invalidates all the cryptographic keys and makes them unusable.
We have restricted the quick unlocking of Enpass only on the devices having a device passcode. Setting up a device passcode ensures that all the data (including the saved master password) in iOS keychain is protected by iOS itself. When you disable device passcode, quick unlock also gets disabled, removing saved master password.
Also, if five consecutive attempts to quick unlock are unsuccessful, Enpass erases the master password from the iOS keychain and prompts to enter master password to unlock Enpass. On next successful attempt, it is saved again in the iOS keychain. When you disable Quick Unlock from Enpass settings, Enpass erases the master password from the iOS keychain.
Biometric in Android¶
Android 6.0 and later, provides a new Fingerprint/Biometric API along with enhancement in Android Keystore which is reliable enough to protect our master password. As soon as you enable Biometric from Enpass settings on your device, we create a Biometric authenticated, Enpass specific random encryption/decryption key in Android Keystore (accessible to Enpass only) and encrypt your master password using this key and store in private area in the device storage. This solution is highly secure because your master password is accessible only after it gets decrypted using the same key stored in the Android Keystore. And that key (in a usable format) can only be retrieved when you authenticate Enpass with your Biometric. This is so secure that even if someone gets access to your Android device passcode and legally adds his fingerprints in the phone, Android immediately invalidates all the encryption/decryption keys and makes them unusable. Even when in use, Enpass will detect this and will automatically disable Biometric in Enpass settings and removes your master password.
PIN in Android¶
When locking condition met i.e. inactivity time or when app goes to background, Enpass restricts access to all its features and user have to provide a PIN to access data. This does not actually close the Enpass database but adds just an extra screen for authorization. On wrong PIN entry, database will be immediately closed and a master password will be required. Also, if app is killed by OS in background (some Android devices does it frequently if the Battery Optimization is enabled), Master Password will be required at next start.
Enpass facilitates easy unlocking of data similar to mobile platforms through biometrics authorization using platform-specific APIs and Hardware Enclaves. When no Hardware Enclave is detected, it is advised to always use a master password for unlocking. However, in some cases, convenience wins over and a way to quickly access the Enpass data is required. Enpass does support the quick unlock through Fallback Biometric and PIN but a master password is required every time to unlock Enpass when the application is completely closed locking down the Enpass database.
Windows Hello (Microsoft Store version only)¶
Modern Windows devices have both biometric and TPM hardware. Thanks to Windows Hello as both can be utilized to solve the purpose reliably enough. As soon as you enable Windows Hello on a supported device, we create Windows Hello authenticated Enpass specific cryptographic keys in TPM and encrypt your master password using those keys and store in App’s private area on-device storage. This solution is highly secure because your master password is accessible for use, only after it gets decrypted using the same keys stored in the TPM of your device. And those keys can only be retrieved when you authenticate Enpass with Windows Hello.
Touch ID on macOS (Apple Store version only)¶
Unlocking through TouchId in macOS uses the protection of Secure Enclave similar to iOS. Secure Enclave locks the saved master password in such a way that it can be only accessible after successful biometric authentication.
Quick unlocking through biometrics is available in both Windows and Mac through Windows Hello and Touch ID respectively. When locking conditions are met i.e. inactivity time or when the app goes to background, Enpass restricts access to data without locking down the database and users need to authorize using available Biometric method. If the user fails to authorize using biometric, the database will be closed and a master password will be required next time.
Enpass on all the desktop systems support the unlocking through PIN and it works the same way as fallback biometric for authorization.