Unlock using Fingerprint in Android Marshmallow ( Security )

Unlocking of Enpass using Fingerprint for Android was supported first time in Enpass version 4.6 but was in a limited way where user need to provide master password after app is exited by you or killed by OS. First time in Android Marshmallow, Google did the standardization of Fingerprint APIs with excellent in-device security using which we implemented full-time fingerprint support for unlocking Enpass Keychain.

Challenges

Once the Enpass keychain is locked, it can only be unlocked using the correct master password. We need master password every time after the Enpass is freshly started or killed by OS. So to implement full-time fingerprint support, we needed direct association of master password with fingerprint authentication, which once done could give us your master password.

Solution

Until Android 6.0, there was no secure place where we could store your master password. But thanks to Google for providing a new Fingerprint APIs along with enhancement in Android Keystore, reliable enough to solve the purpose. As soon as you enable Fingerprint from Enpass settings on your Marshmallow device, we create a Fingerprint authenticated Enpass specific random encryption/decryption key in Android Keystore (accessible to Enpass only) and encrypt your master password using this key and store in private area in device storage.

Security

Your Master Password is the only key to access Enpass and we take all precautions to secure it. The above solution is highly secure because your master password is accessible for use, only after it gets decrypted using the same key stored in the Android Keystore. And that key (in useable format) can only be retrieved when you authenticate Enpass with your Fingerprints. This is so secure that even if someone gets access to your Android device passcode and legally adds his fingerprints in the phone, Android immediately invalidates all the encryption/decryption keys and makes them unusable. Being open Enpass will detect this and will automatically disable Fingerprint in Enpass settings and clears your master password.