Remove Advanced Unlock keys after N attemps

Kunzisoft / KeePassDX

Lightweight vault and password manager for Android, KeePassDX allows editing encrypted data in a single file in KeePass format and fill in the forms in a secure way.

https://www.keepassdx.com/

GNU General Public License v3.0

4.57k stars 269 forks source link

Remove Advanced Unlock keys after N attemps #1266

Open strider72 opened 2 years ago

strider72 commented 2 years ago

Two settings I would love to see with Advanced Unlock (AU):

1) x number of failed attempts deletes the AU keys. ( I would set it to 1, but other may desire more mercy)

2) Allow an AU pattern totally separate from the system credentials. I want a totally separate PIN just for this, unrelated to the phone's PIN or biometric.

Please and thank you!

strider72 commented 2 years ago

Another possible enhancement: if I activate AU as read-only, it should not later work to allow Edit.

strider72 commented 2 years ago

Re 1: as a test I entered the unlock pattern incorrectly five times, then the correct pattern worked just fine. I think wrong attempts should lock it down so you need the full master password

J-Jamet commented 2 years ago

I thought about it but it requires a strict distinction between biometric API errors and actual hack attempt errors. I'll think about putting it as a setting.
This is complicated to implement because it requires including a PIN system from an external independent library when using the device's PIN should be sufficient. (https://github.com/Kunzisoft/KeePassDX/issues/687#issuecomment-869237946)

Linked to : https://github.com/Kunzisoft/KeePassDX/issues/687 https://github.com/Kunzisoft/KeePassDX/issues/1051

strider72 commented 2 years ago

Maybe only allow it for PIN unlock then? I can see it not being as useful for biometric.

strider72 commented 2 years ago

Honestly this wouldn't be as big a deal to me if you would consider my other suggestion from #1265 . Sad to see it closed and not implemented

J-Jamet commented 2 years ago

Maybe only allow it for PIN unlock then? I can see it not being as useful for biometric.

It doesn't change anything about the implementation of the code which should be done for all advance unlock methods (no favoritism)

J-Jamet commented 2 years ago

Honestly this wouldn't be as big a deal to me if you would consider my other suggestion from #1265 . Sad to see it closed and not implemented

It is already possible to remove the keys from the advanced unlock when the device is switched off with the temp advanced unlock (already implemented) so this issue is closed.

strider72 commented 2 years ago

Another possible enhancement: if I activate AU as read-only, it should not later work to allow Edit.

Any thought on this one?

J-Jamet commented 2 years ago

Another possible enhancement: if I activate AU as read-only, it should not later work to allow Edit.

Any thought on this one?

I don't understand what you mean with this request, the advanced unlock is not a file. Putting it read-only would just mean not being able to register a new biometric key so it would make the feature useless.