Unified biometric authentication dialog

[rakleed]

Please use Unified biometric authentication dialog.

https://developer.android.com/about/versions/pie/android-9.0#biometric-auth

[lizardb0y]

+1 BiometricPrompt supports multiple biometric options. One of my devices is a Samsung Tab S4 which has an iris scanner instead of fingerprint reader. I'm having to use my Mooltipass Mini to unlock the database on this device which is a PITA™.

[daevidvincent]

Just found a new competitor named "KeePass DX". You should check it out. It's the only other Android app I've seen in years that gives you a bit of a run for your money. One killer feature that I really love is it will use my Iris biometric on my Samsung Galaxy S8 not just fingerprint!

[RobBiddle]

Thanks for the suggestion @daevidvincent . I don't really want to switch apps, but based on keepass2android milestones, it looks like this feature might take a year or so to make it into production. As more and more Android phones do away with fingerprint scanners this will greatly affect the usability of keepass2android. I'll keep checking back in hopes the support is there when I get a new phone. Wish I was more proficient in C/Java so I could help out with this project.

[df03438]

so, will or does keepass2android support Google pixel 4 face unlock

[lparsons]

@PhilippC Any chance we can get this feature moved to an earlier milestone? I'm willing to support the effort, either with $ or perhaps code.

Hmm... Just noticed quite a few fingerprint related issues in milestone 1.08. Perhaps moving to the new Biometric API will help to resolve those as well. Consider putting the effort into the Biometric API instead of fixing the deprecated Fingerprint API issues.

[df03438]

I concur let this great app lead the way ahead of the other password apps. I would support some $, too. I am delaying my Pixel 4 purchase until the spring. Keeping my fingers crossed. I hate loosing the fingerprint feature, but no replacement coming is unpleasant.

[CarlosLopezES]

I also want this feature, please.

I will not change the app because i have using it for years and I like it, I prefer to wait some time

[schwabe]

Unless someone else creates a PR for this I think I am going to invest some time in the next two weeks to implement this.

[PhilippC]

If you have time to do so, I would gladly receive pull requests. But let's discuss a bit how this should be done. I would like to switch to using biometric prompt using androidx and fully replace fingerprint manager. However, there must be a transition phase where people who have configured fingerprint unlock can still use the old implementation to unlock, but then need to be informed they should upgrade to the new implementation. Using biometric prompt from Androidx means migrating all uses of support libraries to androidx. I guess this might come with some pain.

[daevidvincent]

If this is a simple one-time change to the user, I don't think anyone has any problem reauthing with their print again or whatever. I say make a "breaking change" if it gets the feature out faster. And if it comes with the added bonus that ANY biometric the phone supports (or is actively using) can be used then I'm 100% in support of it! :) A little pain for a lot of gain!

[df03438]

I concur with daevidvincent

[PhilippC]

This might work for you, but i bet there are thousands of users who don't remember their master password and rely on fingerprint. This sounds insane, but you don't know how many support mails I'm writing every day 😭

[df03438]

how can that be? It is the most important pswd of any... its the master. my gosh... if they use native Keepass on windows then at some point in time they need their master password.. even on android occasionally master pswd has to be re-entered after a reboot or app update. I wouldn't let the fools prevent for the masses a technology upgrade into the future . My opinion.

[PhilippC]

don't get me wrong. I consider this issue one of the top priority issues in the next milestone. But doing it right shouldn't take much more time and it makes sure I'm not updating the app for some users at the cost of some others.

[yelch]

I think best would be to create a new version 2.0 as a separate app. In 1.x you inform the users that there is a 2.x and that they need to turn off fingerprint and set a password. If someone starts 2.x and 1.x is installed, users must enter the password, if they don't know they can switch to 1.x and set it otherwhise 1.x could be prompted for uninstall (if new bio features are set, app just starts). If someone starts 1.x and 2.x is installed and configured app closes and starts 2.x

[CarlosLopezES]

2.0 app has to be a HUGE change... this maybe its small for most of users.

Maybe only the update for Pixel 4 users?

[RobBiddle]

Why would there need to be a transition period/re-enrollment? If the user already has fingerprint unlock enabled in keepass2android, and the device is running Android 9+ then I can't think of any reason it wouldn't be acceptable to switch the API call for authentication from FingerprintManager to BiometricPrompt without notifying the user of the change. Unless I'm completely misunderstanding something it seems like fingerprint unlock would continue to function without interruption (i.e. needing to re-enroll fingerprint unlock / re-enter master password.)

The main problem will likely be supporting older devices running Android <9. That would require either a keepass2android version split for Android 9+ devices, or maintaining support for both FingerprintManager AND BiometricPrompt, accepting the increase in keepass2android app size/complexity.

[schwabe]

Porting to androidx as part of using BiometricPrompt as my first contribution to the project seem a little to big of a task. Especially I haven't worked with Xanarim before.

For this discussion did anyone even check if swithing from FingerprintManger to BiometriPrompt does even invaldiate the old authentiation data? Maybe androix just wraps it in a compatible fashion?

[schwabe]

So I setup the build environment but not having worked with Xamarin/Visual Studio for Android apps I was completely overwhelmed and did not find out how to setup adding the androix biometrics support library.

But looking at the source code of the android.xbiometrics it looks like it just wraps the fingerprint cryptoobject: https://github.com/aosp-mirror/platform_frameworks_support/tree/androidx-master-dev/biometric/src/main/java/androidx/biometric

[PhilippC]

I'm trying to that, but I don't have too much time this week and the next.

[Utini2000]

I don't want to crash this ticket but:
How does the biometric implementation work anyway?

My .kdbx is locked with a password that only I know and that is not written or stored anywhere else. Now I will unlock my .kdbx by using my facial scan. Will the data of my facial scan be like a second master password that gets added to my .kdbx? Or will Android "store" my master password somewhere and pass it on to the app once it verfies my facial scan? Or is there going to be a token that is associated with my facial scan, .kdbx database and hopefully my specific device so no one can steal the token and re-use it on their device?

Thanks! :)

[PhilippC]

This is now in beta (https://play.google.com/apps/testing/keepass2android.keepass2android), 1.08-pre2. @ all Pixel 4 users: please test and report whether face unlock works. I didn't have such a device for testing.

@Utini2000 The implementation is the same as with fingerprint: if you enable full unlock with biometric prompt, the app will store the encrypted master password in Android's secure storage (there is an info text about this in the app). It's up to the user to decide whether they want to accept this.

[psmedley]

Thanks!!! Tested here with Pixel 4 and works fine. One suggestion, the app states that fingerprint hardware is detected - this should be changed to biometric.

[everonegraham]

I can confirm that this works, thanks for all your hard work. Just the wording needs some fixing as mentioned by +psmedley.

[schwabe]

Same result here on a Pixel XL. Works fine but wording is still fingerprint. I also had to switch to deactivated and enabled again to make it work.

[PhilippC]

thanks for the feedback! I am aware of the wording issue but decided to roll out asap and change the texts later.

[betasheet]

Works for me as well (Px 4), though, when unlocking, I see the face unlock prompt appear a second time briefly after acknowledging the first one. It disappears on its own with a "Face operation cancelled" message. This doesn't happen for "quick unlock", only if the DB was "closed" fully.

[Utini2000]

@PhilippC Thanks for the beta and the quick explenation. Is there a place I could learn and ask about this Android secure storage? I am worried about what apps could extract data (my master password) from this secure storage and if it gets more risky with a rooted Android device. So far my master password has never been stored anywhere else than my had and my RAM. Now that Android secure storage of my P4 is going to be a new permanent storage.

[wombat01]

Thank you for the implementation, it works ;-) Would it be possible to open direct after recognition without having to click confirm button?

[PhilippC]

@wombat01 which confirm button do you mean? On my devices with fingerprint sensor I don't have to confirm anything. Can you post a screenshot?

[betasheet]

I'm pretty sure wombat01 talks about the "Confirm" button shown in Figure 2 here: https://developer.android.com/training/sign-in/biometric-auth#no-explicit-user-action

This page also mentions how you can disable it. Not entirely sure if that's desired here though - without the prompt, you'd automatically unlock just by opening the app and "showing" your face.

[everonegraham]

It looks like this. Sometimes I get prompted a 3rd time if I hit confirm fast enough on the 2nd prompt.

[PhilippC]

@Utini2000 see https://developer.android.com/training/articles/keystore

[wombat01]

@wombat01 which confirm button do you mean? On my devices with fingerprint sensor I don't have to confirm anything. Can you post a screenshot?

https://i.ibb.co/j3qqjDM/x-Screenshot-Nov-6-2019-8-23-38-PM.png

[PhilippC]

thanks for all of your feedback! I am currently preparing 1.08-pre3 with

• no need to "confirm" authentication
• no longer showing biometric prompt immediately after authentication.

The text are not updated, yet.

[daevidvincent]

FWIW, considering I was the squeaky wheel kicking all this off into motion ;-) ... the FP works on my Samsung Galaxy S8, but I use IRIS as my default biometric on the phone, and FP on this app (since there is no other choice previously), and I would have expected that it would work too... Or is that part coming and just not enabled yet or something?

[PhilippC]

@daevidvincent I don't have a Samsung device with Iris scanner. Did you enable this? https://stackoverflow.com/questions/55145785/android-biometricprompt-shows-iris-scanner-on-samsung-running-android-pie

[daevidvincent]

@PhilippC yes, that setting is currently (and has been) set. But what is also curious as per the initial post way up above about KeePassDX is that it "just worked" with my IRIS when I loaded their app. I tried them again just now to double check and sure enough it does the IRIS right from the jump (with FP as optional input too). I didn't have to do anything. So perhaps there is another setting in your code that needs to be investigated to respect that default biometric flag or something?

[PhilippC]

hmm, I don't see that they do anything special. The main difference I see is that they use an older version of androidx.biometric and use targetSdkVersion=28, whereas I use 29 (=Android 10). https://source.android.com/security/biometric says that in Android 9, only fingerprint is supported, but that seems weird if it works in another app...

[daevidvincent]

I AM on Android 9 (pie).... so that could be the reason. Can you lower the value and we can see?

[PhilippC]

@daevidvincent please try https://www.dropbox.com/s/z2o2azc6pfilata/keepass2android.keepass2android-1.08-pre3-targetSdk28.apk?dl=0

[wombat01]

thanks for all of your feedback! I am currently preparing 1.08-pre3 with

• no need to "confirm" authentication
• no longer showing biometric prompt immediately after authentication.

The text are not updated, yet.

1.08-pre3 👍👍👍 Perfect, works great. Thank you.

[daevidvincent]

@daevidvincent please try https://www.dropbox.com/s/z2o2azc6pfilata/keepass2android.keepass2android-1.08-pre3-targetSdk28.apk?dl=0

unfortunately that didn't work (I mean, it installed, but it didn't prompt or do anything IRIS/facial, only FP still)

I'm not an android developer, but my quick googling around found this... https://www.xda-developers.com/iris-scanners-native-support-android-p/

that android.permission.USE_IRIS seems interesting if you're not doing that already?

[everonegraham]

Great work Phil, everything is working great. A few beers coming your way. Everybody else on this thread, remember to do the same.

[lparsons]

Pixel 4 XL working great here. For sure some beers coming. Thanks for such a quick update.

On Wed, Nov 6, 2019, 10:32 PM Everone Graham notifications@github.com wrote:

Great work Phil, everything is working great. A few beers coming your way. Everybody else on this thread, remember to do the same.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/PhilippC/keepass2android/issues/795?email_source=notifications&email_token=AAE5QCG6DM42QJFA6JU7HKDQSOD3PA5CNFSM4HHDSXZ2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEDJB4PY#issuecomment-550641215, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAE5QCE4OCQDOVLAE4YG2MTQSOD3PANCNFSM4HHDSXZQ .

[L3Nerd]

Can confirm: Pixel 4 XL is working. Beer is on the way - Prost!

[Javier-Giral]

Work like a charm on my Pixel 4XL. Many thanks and a beer is on its way!

[PhilippC]

@daevidvincent I think that according to https://issuetracker.google.com/issues/142150327 the difference between versions of androidx.biometric makes the difference. Google decided not to accept Iris as secure enough. That was changed since early betas of the library.

[dolphinkite]

@PhilippC,

I'm using the offline version of keepass2android (blue icon) and it seems that even though I joined the beta program (link above), I'm not receiving a beta update of the offline version.

Like others, I want to use the face unlock feature on my Pixel 4.

Is there something specific I need to do for this version?

Thanks

[CarlosLopezES]

Is there an estimated date for it to be published in the stable version?

Thank you very much.