Improve support for Macbook Pro TouchID

[k6nmx]

To further improve the utilization of TouchID on Macbook Pro and make the unlock feature more intuitive to use (see comments in #2720 for pull request #1851), I would like to implement the following changes:

• Make enabling TouchID a global setting (not per database)
• Add an indication that TouchID is available to unlock (colored icon) on the unlock screen / greyed out when it is not. When it is disabled in the settings no icon is shown.
• Unlock with TouchID is triggered when it is activated/available and ...
  • ... User clicks on the colored icon
  • ... User tries to unlock database without entering a password
  • ... Window is being brought to the foreground by the user
  • ... Tab is being changed / brought to foreground (multi database usage)
  • I would suggest making the last two scenarios an optional setting
• TouchID is automatically deactivated on 3 consecutively failed tries (until user enters the password correctly again)
• Raising the maximum time-out of TouchID (currently the maximum value is 999 minutes)

Further additions (edited):

• Hints and dialog that guide the user through the process of activating and using TouchID for Keepass
• Enable TouchID persistently across restarts of the application

How do you guys feel about this?

[marco-brandizi]

I took a while to understand that I have to both tickbox the touchID option AND click on OK without typing any password. I don't get if this enhancement issue is taking this into account, to me the procedure should be clearer, eg, just start polling the TouchID sensor and unlock when it sends back a positive fingerprint recognition. Alternatively, place a button like "Unlock with TouchID now".

[k6nmx]

Yes exactly, I totally agree with you! I suggested to get rid of the checkbox (just one global setting for disabling TouchID altogether in the settings menu). Also adding a button / clickable biometric icon for unlocking with TouchID manually.

Unfortunately, it is not possible (to my knowledge) on macOS to poll the fingerprint sensor in the background - it has to be triggered, which then brings this system popup to the foreground. Therefore, I made the suggestion to automatically do this when the application is being brought to the foreground (btw. that is also how 1pw does it).

[hhrutter]

This does not work for me on 2.4.0 and MacOS 10.14.4. I get Unable to open the database when I check TouchId for quick unlock and leave the password field blank.

How is that checkbox supposed to work?

[k6nmx]

@hhrutter This is just the thread for the upcoming improvements - non of these are implemented yet (I am currently working on it, though).

As for your problem, you have to have both Password and TouchID checked when unlocking with your password for the first time in order to activate TouchID. For subsequent unlock attempts you can then leave the password field empty, press ok which will then ask for your fingerprint to unlock the database.

[hhrutter]

When are you supposed to get an Unlock button? When I start KeePassXC I have to provide my keyfile and password and check TouchId for quick unlock?

Ok. I am in.

This feature is only for unlocking after the db locks due to timeout or manual lock? Even if I get this to work - which I don't because I don't get an Unlock button/option just the initial login form where I have to provide all my credentials - can't we have this checkbox for acrivation TouchId for any future login when starting up KeepassXC?

KeepassXC rocks but this is frustrating I have to admit.

[droidmonkey]

@hhrutter sorry for all the ux issues with this. Unfortunately the lead devs do not have a mac with touchid hardware so we could not fully test this feature. Luckily mxk6n is planning to upgrade it.

[natemo4873]

This thread helped me understand how to use it. its a shame i cant use touch id until after an initial master password entry. but its still handy though. thanks for all the hard work. Love your guys password manager app!

[k6nmx]

Sorry for the confusion about this... I will definitely add some explanations / dialogs to guide through the process of activating and using TouchID together with the improvements mentioned above.

In order to activate TouchID we will always need the initial entry of the master password. However, right now this is true for every restart of the application (as the encrypted secret is kept in memory which is cleared when closing Keepass). You raise a good point, I will try to facilitate the Secure Enclave to perform the decryption of a persistent encrypted secret which will then survive the restart of the application :) I added it as a bullet in my initial comment.

[aserrallerios]

In 2.4.1 and I still cannot see the Unlock button when I log in and then lock the DB.

There's something I could be missing?

[k6nmx]

Just press ok, that's what i meant with unlock ;)

[hhrutter]

Hooray!!! Managed to unlock via TouchId for the very first time.

I would suggest having a Unlock via TouchId or Let me in button. Having to say OK is not intuitive in this situation.

On Mon, Apr 15, 2019, 11:53 Max notifications@github.com wrote:

Just press ok, that's what i meant with unlock ;)

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/keepassxreboot/keepassxc/issues/2865#issuecomment-483186274, or mute the thread https://github.com/notifications/unsubscribe-auth/AKzDK87oqolQ41fkoijJApzx3M64fC74ks5vhEwKgaJpZM4cFsDT .

[mkozjak]

Hi! This is not a rant. Just a honest feeling about this feature. I literally used it zero times so far, even though I wanted to use it. I suppose my laptop use case doesn't apply to this feature. I open and close the lid multiple times a day with keepass ending up locked, which is nice. But I never got into a situation where I'd be able to use Touch ID without my master password. tldr; Not sure if it makes sense, but for me it'd be cool to have Touch ID without the password over a big period of time, eg. a few days. Similar to something LG does with their fingerprint sensor on the back. They demand a password retype every 48 hours. But between those, you can just use your fingerprint. Since I open the app at least 5 times a day, maybe that would make sense?..

[sinistersnare]

Hi, I see a lot of negativity and I just want to say that I love this feature. It is so nice to have this 'quick unlock' like feature available that is still secure (at least secure enough).

Thanks for implementing it! Although understanding exactly how it works at first was a bit difficult (so work can still be done), I think its awesome.

[johnrichardrinehart]

Alternatively, place a button like "Unlock with TouchID now".

Yes.

@mxk6n What is the progress on improving the UI at login? I like the idea of a single button to trigger Touch ID authentication. I didn't know that I had to click OK and check the box until I saw @marco-brandizi's comment.

[tomhundt]

I'm okay with having to click a button to trigger TouchID. Especially if that button has a keyboard shortcut!
Which, at the moment, seems to be Cmd+Enter 😄

[Agentscreech]

I'm having trouble getting the touch id to work for this. Here's the workflow

• Launch app
• select database
• enter password while having the TouchID for Quick Unlock box checked
• hit enter
• Log in will be successful
• manually click lock database
• back at the unlock screen, I click the TouchID for Quick Unlock button
• click ok

Expected: TouchID prompt of some kind

Observed: "Unlocking the database failed and you did not enter a password"

What am I missing?

[johnrichardrinehart]

@Agentscreech Can you confirm your KeepassXC and OS versions? I'll try to reproduce.

[Agentscreech]

Thanks for the reply. KeePassXC v2.5.1 on macOS 10.14.6

[johnrichardrinehart]

@Agentscreech I am on macOS 10.15.1 (Catalina) and the same version of KeePassXC.

Following your steps above does result in successful authentication via TouchID. So, I'm unable to reproduce your issue.

However, I don't recommend you update to Catalina to support this feature. There is likely (read: hopefully) another cause for the discrepancy.

[Agentscreech]

Thanks. Is there something I can reference about where I should be looking for more troubleshooting? I feel like I followed the build instructions correctly. FYI, touchID wasn't setup (new computer) when I built it.

[johnrichardrinehart]

Did you build from source or install from disk image? In the case of the former, I'd recommend trying to install from the provided disk image.

[Agentscreech]

That was it. Must of borked something when I tried to build it. I was looking for the pre-built image, but missed it somehow. Thanks for the link!

[taelerwatkins-tcn]

I'm not seeing any TouchID UI on 2.5.2. It says it's enabled in the debug information, but there doesn't seem to be a way to activate it. Did something change? Just using the regular build. Didn't do anything funky on my end.

KeePassXC - Version 2.5.2
Revision: 62cda9d

Qt 5.14.0
Debugging mode is disabled.

Operating system: macOS 10.15
CPU architecture: x86_64
Kernel: darwin 19.0.0

Enabled extensions:
- Auto-Type
- Browser Integration
- SSH Agent
- KeeShare (signed and unsigned sharing)
- YubiKey
- TouchID

Cryptographic libraries:
 libgcrypt 1.8.5

[johnrichardrinehart]

@taelerwatkins-tcn Do you see the checkbox circled in yellow? That's the UI element which enables/disables TouchID for KeePassXC.

[droidmonkey]

@johnrichardrinehart you need to update your KeePassXC!

[johnrichardrinehart]

@droidmonkey Thank you! I was on 2.4.x.

@taelerwatkins-tcn You should instead see a similar UI element as follows in 2.5.2

[taelerwatkins-tcn]

@johnrichardrinehart Nada. This is a completely new install on a new machine that was just set up yesterday. Been unlocking manually a ton now and discovered this mac has TouchID and eventually landed here when I wasn't able to use it for KeePassXC.

[johnrichardrinehart]

@taelerwatkins-tcn Can you confirm the version of KeePassXC?

[taelerwatkins-tcn]

@johnrichardrinehart

Oh heck... I decided to force close and open the app again and now it shows up 🤦‍♂ . "Have you tried turning it off and on again"? Sorry for the fuss, I'll trip on my shoelaces on my way out...

[foufoulefou]

Hello,

I have the same problem with a touch ID who doesn't work. And as it say here I've check the touch ID box before entering my password.

I have a macbook pro 16" and here's my config in keepassXC :

KeePassXC - Version 2.5.2 Revision: 62cda9d

Qt 5.14.0 Debugging mode is disabled.

Operating system: macOS 10.15 CPU architecture: x86_64 Kernel: darwin 19.2.0

Enabled extensions:

• Auto-Type
• Browser Integration
• SSH Agent
• KeeShare (signed and unsigned sharing)
• YubiKey
• TouchID

Cryptographic libraries: libgcrypt 1.8.5

If you have a clue don't hesitate, I double check every step said here and it won't work. Thanks

[johnrichardrinehart]

@foufoulefou Did you compile from source? Try installing an official release and see what happens.

[taelerwatkins-tcn]

@foufoulefou just double checking, but here's the basic steps.

1: Set up TouchID for the machine (if you've only just done this while KP is open, close and reopen. that was my problem.) 2: Open database and unlock normally with the TouchID checkbox checked. 3: Lock database. 4: From lock screen, leave password blank and click OK while TouchID checkbox is checked. TouchID should show a dialog that KeePassXC is requesting TouchID authentication. 5: Touch to unlock.

NOTE the standard settings make you authenticate normally if the screen locks. There is also a setting you can enable to have a configurable timeout, after which you are required to authenticate normally.

EDIT: Also, 2.5.3 is out now.

[foufoulefou]

@johnrichardrinehart yes I have tried with an official release, and even with the one you give., but the answer was that I didn't inderstood a thing.

Thing that @taelerwatkins-tcn said help me understand, when I try to use touch ID, I never try to click OK to make the touch ID box appear. Now that I did it, everything is going well. So thank you to you both, now it work well :)

[taelerwatkins-tcn]

@foufoulefou Glad to help.

I feel that the UI doesn't self-document how it's meant to be used. I'm not a UI person, so I don't have any real suggestions for making it more understandable.

[leviem1]

@mxk6n Maybe add a button that says "Unlock with TouchID" instead of the checkbox? That way it's more of an active choice than a passive option.

[taelerwatkins-tcn]

@leviem1 That would make more sense. Then when initializing it or after it times out etc, it would just function as it does now in showing the message you need to relogin and act as a login button that, when used with regular authentication, would activate it for TouchID until timeout again.

Basically, a specific secondary login button vs a checkbox that either uses TouchID if already active, or activates it upon logging in using that button.

The main issue is that there needs to be an action to ask for TouchID. It can't just wait for a fingerprint like it does on Android, which thinking now is convenient, but I'm wondering if the sensor for Android shouldn't have the same sort of restrictions placed on it by the OS. But that is irrelevant for this discussion.

[johnrichardrinehart]

The main issue is that there needs to be an action to ask for TouchID. It can't just wait for a fingerprint like it does on Android

Hmm, maybe I'm missing something, but the only time that KeePassXC needs to "ask for TouchID" is when both: 1) TouchID has timed out and 2) the user has pressed the "Unlock with TouchID" button. Then, it seems like KeePassXC can raise a prompt similar to the below (sorry for the pixelation... too lazy to fix).

[taelerwatkins-tcn]

@johnrichardrinehart Either I misspoke, or you misread. My apologies. Let me clarify. My meaning was that the Android app does not have this sort of weird UI issue because if the app is open at the unlock screen, it's automatically waiting for a fingeprint, so there doesn't need to be any UI to click or any confusion like that. macos enforces that you cannot poll for the fingerprint sensor without a deliberate user action (which opens the dialog you reference), which is why you have to click "OK" in order to get the prompt, as opposed to just being able to touch the sensor.

That is all I meant. Was just drawing the parallel between platforms, and elaborating as to why the TouchID UI isn't quite so straightforward because it does require a deliberate click of some sort of button to activate.

Also, sorry to drag the issue down a tangent.

[johnrichardrinehart]

@taelerwatkins-tcn That's perfectly clear. Thank you.

I think allowing TouchID only after first log-in using password (and/or key file) is good security policy. This policy bridges the design gap between needing to type a (potentially very long) password many times and allowing anyone with a facsimile of the user's fingerprint access to the machine.

For instance, macOS allows for a logged out user to log in from shutdown only by using the password. On re-log-in (without system reset) the user is eligible to use TouchID to authenticate. I think this is fine.

[leviem1]

@johnrichardrinehart @taelerwatkins-tcn Agreed, I think the general flow is familiar enough to be intuitive, there just needs to be better visual elements. I think it would be simple enough to have a button that is specifically for TouchID that only appears when using TouchID is available (i.e. after the initial login with a password). That way users have a clear distinction of when and how to use it.

[gregfenton]

I am new to Mac (new MBP) ; been using Keepass on Windows and Android for years.

KeePassDroid on my Samsung Galaxy allows me to open the .kdbx file with only my fingerprint. To set it up, you enter your password on the Open screen and instead of pressing OK you put your finger on the fingerprint reader. If the password is correct, the file opens and it gets securely stored against your fingerprint. Subsequent opening of that same .kdbx can be done with just your fingerprint - no need to enter the password ever again.

I'd like to see similar in KeepassXC on the MBP. Happy to help out where I can. I have dabbled a bit in XCode development for an iPad app, so willing to try things out if someone is willing to direct me

Two things I'd like to see in KeepassXC regarding TouchID:

1. TouchID unlock that once setup "works forever" (or until the config gets wiped from the keystore)
2. Update the KeepassXC documentation to reflect the TouchID functionality (I don't see it listed in the github overview, nor the docs/FAQ on https://keepassxc.org/

[tbleich]

Touch ID unlock also not working on my 16" MBP (Catalina 10.15.3). I do not get prompted for TouchID when the checkbox "TouchID for quick unlock" is checked and the database was unlocked by password before.

Maybe its a pattern, 16" MBP?

My config:

KeePassXC - Version 2.5.3
Revision: f8c962b

Qt 5.14.0
Diagnosemodus ist deaktiviert.

Betriebssystem: macOS 10.15
CPU-Architektur: x86_64
Kernel: darwin 19.3.0

Aktivierte Erweiterungen:
- Auto-Type
- Browser-Integration
- SSH-Agent
- KeeShare (bestätigtes und unbestätigtes Teilen)
- YubiKey
- TouchID

Kryptographische Bibliotheken:
 libgcrypt 1.8.5

[RayfenWindspear]

Touch ID unlock also not working on my 16" MBP (Catalina 10.15.3). I do not get prompted for TouchID when the checkbox "TouchID for quick unlock" is checked and the database was unlocked by password before.

@ tbleich Did you change any of the TouchID settings in KeePass? The defaults are for it to require password anytime your screen locks, and there is a setting disabled by default where you can set a timeout which will require password again after x minutes.

I suspect the issue getting you is the screen lock setting. Unlock, and in settings you can disable that functionality if desired. With both disabled, the only time you should need to use password is if you close the application.

Oh, that's the other thing. TouchID only stays active if you DO NOT close KeePassXC. If you quit, you will need password again.

[gregfenton]

@ tbleich Did you change any of the TouchID settings in KeePass? The defaults are for it to require password anytime your screen locks, and there is a setting disabled by default where you can set a timeout which will require password again after x minutes.

KeePassXC >> Preferences... >> Security >> (uncheck) Forget TouchID when session is locked or lid is closed

Thanks for pointing this out! I have now unchecked the above setting and the touch ID works for unlocking for me! I locked the database (clicked the Lock icon in the toolbar), then clicked the OK button on the Unlock KeePassXC Database screen and I was prompted for my TouchID.

As my entry above suggests: a bit of updating of documentation could go a long way here. I'll submit a push request shortly.

[RayfenWindspear]

I concur. It's a little confusing how it works and why it isn't working when you think it should. It's a UI and/or documentation disconnect with the user's perception of its functionality.

[tbleich]

@RayfenWindspear I did not close KeePassXC when not using it and I followed the instructions of how to use TouchID. I am not sure whether I changed some settings and will check the recommendation of @gregfenton to make it work.

Unfortunately a colleague spilled a bottle of water over my laptop, the repair takes about three weeks and until then I am on a TouchID-less Macbook...

[droidmonkey]

I hope they at least bought you lunch!

[tbleich]

@gregfenton @RayfenWindspear Thanks for the hint, I had the box checked. Unchecked it, works like a charm now!

KeePassXC >> Preferences... >> Security >> (uncheck) Forget TouchID when session is locked or lid is closed

Yes, I got lunch :) In case you are wondering, the price for a new 16" MBP display is around 600€ net, excluding labor ...

[foufoulefou]

Hello,

Since I updated my os to mac os 10.15.4, my keepass version didn't launch, so I had to re-install it. After that, keepass ( version 2.5.3 ) launched again correctly but it's touch ID which is not working now.

To resume what happened, here is every step

• launch keepaas
• check the box "unlock with touch ID"
• entering my password by typing it, then press enter
• locking my session again by clicking on the lock

And the problem appears here, the "unlock with touch ID" is uncheck at this point whereas I uncheck the box "forget touch ID when session is lock" in the preferences -> security option.

Despite this, I try to unlock with touch ID, so I checked the box first, then I pressed enter and this window appeared. I tried to go in "DatabaseSettings/Security" as said in the window, but I couldn't find an option to reset my password.

If you have any ideas about this problem, let me know. Thanks

[droidmonkey]

We know. This was the trade-off required to get an emergency patch out there to keep the application running.