Implement ability to use the same database on multiple PCs with each PC's Windows Hello credentials

[jdrch]

Describe the bug

Currently, if you sync the same database omnidirectionally among multiple PCs, each successive WinHelloUnlock setup on an additional PC will break the plugin's functionality on the other PCs.

This appears to be due to WinHelloUnlock saving some kind of marker that matches a single PC's Windows Hello credentials within the database itself.

I therefore propose that this marker either be stored locally on each PC outside the database OR that all such markers are stored within the database and WinHelloUnlock retrieves the one matching the PC it's currently on.

I know this is possible because KeePass2Android allows biometric unlocking of the same database across multiple devices. Also, browsers that use Windows Hello are able to access the same account using each machine's Windows Hello credentials without breaking the other machines' access to the account.

To Reproduce Steps to reproduce the behavior:

1. Set up WinHelloUnlock (WHU) on PC1
2. Sync PC1's KeePass database to PC2 using your preferred backend, e.g. Google Drive
3. Set up WHU on PC2
4. Sync PC2's KeePass database back to PC1 (most sync backends do this automatically)
5. Attempt to use WHU on PC1

You'll get a CRC error message.

Expected behavior

WHU should work on both PCs after setting up PC2.

Screenshots

N/A

Additional context

So far, I haven't been able to find a way around this. If you experience the error, your only choice is to:

1. Delete the Windows Hello config on the database on all of the PCs
2. Uninstall WHU from all the PCs except the 1 you need to use it with
3. Set up WHU from scratch again on the PC you want to use it with

[Angelelz]

It is weird. The way it's set up right now should allow you to do just that. I don't have access to another PC with WH at the moment, would you please copy/paste or screenshot the error message? I'll borrow a PC in the next couple of days to test this.

Did you try deleting all the WHU credentials in credential manager to see if that helps?

[jdrch]

It is weird. The way it's set up right now should allow you to do just that.

I think you'll have to look into how websites like Google use FIDO2 and then implement that. Currently I suspect the method you used places a matching hash of some sort in the database itself. Since each PC will have a different "hash" (Windows Hello primitives are you unique to each authentication device) once the database is moved to another machine authentication fails on that other machine.

would you please copy/paste or screenshot the error message?

Unfortunately I can't do that without setting up the plugin on another PC and recreating the problem, and I'm kinda too busy to go though the 2 setups (1 for the additional PC, 1 to resetup the original PC.) And yes, I'm really busy; you can look at the list issues I'm dealing with.

Did you try deleting all the WHU credentials in credential manager to see if that helps?

In which Credentials Manager? If you're referring to KeePass that shouldn't be necessary because, as I said in the original bug report, FIDO2 currently works across multiple machines on other services just fine.

If you're referring to Windows, no, I'm not going to set up Windows Hello from scratch to solve this problem; that's too much of a PITA. I know Windows Hello and FIDO2 work very well otherwise, so I also know this issue exists entirely in the plugin (which doesn't reflect poorly on you; this is the best solution of it's kind so far.)

Maybe the problem here is KeePass using passwords while FIDO2 is designed for passwordless access. As long as KeePass access is based on a token (password or keyfile) vs. identity, it might always have this issue.

[szclsb]

Same problem here. Uninstall and removing WHU credentials and reinstall, setting up WHU again leads to the same problem on the other computer. e

[jdrch]

@szclsb I've resigned myself to using WHU on my main PC only due to the issue.

Also, another thing to bear in mind with WHU is if Windows Hello recognition fails, the fallback is your PC's password, NOT your KeePass database's (likely more complex and secure) password. It's def a security vs. convenience tradeoff.

[szclsb]

@jdrch Thanks for your reply, I did the same.

[Angelelz]

After a long time outside the coding world, I can come back to maintain the plugin. Right now I'm looking for confirmation this issue is still standing. I've tested the plugin on different PCs with the same DB and I could not replicate.