Unlock using Hello in Windows 10 Mobile (Security)

Unlocking of Enpass using Hello for Windows 10 was supported first time in Enpass version 5.0 but was in a limited way where user need to provide master password after app was exited. Windows on mobile phones tends to kill apps in background and hence causes Enpass to ask master password frequently. In Enpass version 5.1, we implemented full-time Hello support for unlocking Enpass Keychain on Windows devices having TPM hardware chip.

Challenges

Once the Enpass keychain is locked (as per security settings or after exited or killed by OS), it can only be unlocked using the correct master password. So in that case we needed direct association of master password with Windows Hello authentication, which once done could reveal the protected master password.

Solution

Modern Windows phone devices have both biometric and TPM hardware. Thanks to Windows Hello as both can be utilized to solve the purpose reliably enough. As soon as you enable Windows Hello on supported device, we create Windows Hello authenticated Enpass specific cryptographic keys in TPM and encrypt your master password using those keys and store in App’s private area on device storage.

Security

Your Master Password is the only key to access Enpass and we take all precautions to secure it. The above solution is highly secure because your master password is accessible for use, only after it gets decrypted using the same keys stored in the TPM of your device. And those keys can only be retrieved when you authenticate Enpass with Windows Hello.

Supported devices

Only Windows 10 devices with built in TPM chips supports full time Hello. If your device show a warning message, it means you can’t use Full-time Windows Hello to unlock Enpass. However, you will be able to use Hello unlock as in previous version.