Fingerprint reader support [$65]

[userosos]

Hi! Can you add support Fingerprint? My laptop has fingerprint reader i want use it for unblock database.

---

IssueHunt Summary

### Backers (Total: $90.00) - [ kbarnawi](https://issuehunt.io/u/kbarnawi) ($5.00) - [ githubuser325](https://issuehunt.io/u/githubuser325) ($20.00) - $65.00 have been anonymously funded. #### [Become a backer now!](https://issuehunt.io/r/keepassxreboot/keepassxc/issues/3337) #### [Or submit a pull request to get the deposits!](https://issuehunt.io/r/keepassxreboot/keepassxc/issues/3337) ### Tips - Checkout the [Issuehunt explorer](https://issuehunt.io/r/keepassxreboot/keepassxc/) to discover more funded issues. - Need some help from other developers? [Add your repositories](https://issuehunt.io/r/new) on IssueHunt to raise funds.

[droidmonkey]

It is certainly possible but biometric sensors (especially on laptops) are notoriously terrible. They usually are meant to interoperate with proprietary software written by the laptop vendor and don't offer any functionality beyond that. Windows does have a robust biometrics interface, but that requires the hardware vendor to actually write a driver that works with it.

https://docs.microsoft.com/en-us/windows/desktop/secbiomet/creating-client-applications#manage-credentials

Over in Linux land your mileage can vary even further. MacOS has TouchID which we have already integrated.

[phoerious]

On Windows we can use Windows Hello.

[userosos]

@phoerious

On Windows we can use Windows Hello.

Can you make howto?

[droidmonkey]

Windows hello is the manifestation of the biometrics service. We don't support that right now.

[userosos]

Windows hello is the manifestation of the biometrics service. We don't support that right now.

Ok. i understand. Do you have an planned for support it?

[droidmonkey]

Not anytime soon

[goetzc]

On GNU/Linux this would be done around fprint which seems to be the thing.

More info: https://www.freedesktop.org/wiki/Software/fprint/ http://www.linux-pam.org/

[GitHubUser325]

Please add Support for Windows Hello soon! It's the only missing thing in your beautiful Software <3

[alensiljak]

Windows-specific support (Hello) is here - #2462.

[GitHubUser325]

"droidmonkey changed the title Fingerprint reader support Fingerprint reader support [$20]"

Since I'm not so common with github, what means the [$20]? I am ready to contribute sth, if you can implement the Windows Hello Support :)

[droidmonkey]

It means there is a bounty on this issue of $20. I was going to add a more substantial bounty to the windows hello and this issue.

[andreas512]

I was also interested in a fingerprint support for keepassxc. How can I contribute to the bounty, in order to push the topic a bit?

[goetzc]

@andreas512 this is the link:
https://issuehunt.io/r/keepassxreboot/keepassxc/issues/3337 (Don't use Bountysource, see below)

@droidmonkey is it possible to integrate BoutySource with GH so that it shows or updates here the current bounty status?

[droidmonkey]

I am not using bounty source anymore, their platform is broken and they are not investing in it.

[goetzc]

In fact I was getting 500 errors before, it looks like a bit abandoned.

What will happen with all the issue-specific donations?

[droidmonkey]

My assumption is they are intact until the site goes away forever. I am no longer sending money through them. We moved to https://issuehunt.io.

[goetzc]

Good to know, then the link for this issue is: https://issuehunt.io/r/keepassxreboot/keepassxc/issues/3337

[issuehunt-oss[bot]]

@goetzc has funded $55.00 to this issue.

---

• Submit pull request via IssueHunt to receive this reward.
• Want to contribute? Chip in to this issue via IssueHunt.
• Checkout the IssueHunt Issue Explorer to see more funded issues.
• Need help from developers? Add your repository on IssueHunt to raise funds.

[GitHubUser325]

Would the Contribution be only for the Fingerprint Function, or generally for Windows Hello? I ask, since I use an IR camera with Windows Hello, only Fingerprint Sensor would be of little use..

[goetzc]

@GitHubUser325 for Windows Hello the GitHub issue is https://github.com/keepassxreboot/keepassxc/issues/2462 and the IssueHunt bonuty is this.

[jduo]

@GitHubUser325 are you still working on this issue? I'd be interested in taking it on.

[andreas512]

@jduo: I don't get the impression from the discussion that GitHubUser325 is working on this issue! I think he is also seeking a solution... @goetzc: I understand that #2462 is dedicated to a fingerprint solution by Windows Hello - but it is not funded yet. But which solution is #3337 dedicated to? Would Windows Hello also be an option for this topic here? (already funded!)

I am looking for a solution under Win10 on a HP notebook, so Windows Hello would work fine for me - but I am open for other solutions as well. And I am willing to contribute to the funding. But which issue is the right one to fund?

[issuehunt-oss[bot]]

An anonymous user has funded $15.00 to this issue.

---

• Submit pull request via IssueHunt to receive this reward.
• Want to contribute? Chip in to this issue via IssueHunt.
• Checkout the IssueHunt Issue Explorer to see more funded issues.
• Need help from developers? Add your repository on IssueHunt to raise funds.

[StefanKrapf]

Hi I just contributed this topic with $15 to fill the gap to $70. Sadly the other topic is closed now (https://github.com/keepassxreboot/keepassxc/issues/2462), but maybe I have a little piece to a solution for a C++ Library: https://community.bitwarden.com/t/fingerprint-support-all-platforms-to-do-not-re-prompt-the-master-password-all-the-time/143/48 But I really don't know because I'm not a programmer! But hopefully it can help to fulfill the dream of the Windows Hello solution with fingerprint scanner. Thanks a lot for your work Stefan

PS: At the moment, this feature still prevents me from switching from KeePass to KeePassXC!

[issuehunt-oss[bot]]

An anonymous user has funded $10.00 to this issue.

---

• Submit pull request via IssueHunt to receive this reward.
• Want to contribute? Chip in to this issue via IssueHunt.
• Checkout the IssueHunt Issue Explorer to see more funded issues.
• Need help from developers? Add your repository on IssueHunt to raise funds.

[smlu]

@andreas512 have you found any solution for Windows Hello support or did you maybe do any work on it? Btw, I'm currently exploring how Windows Hello could be used to provide bio-metrics based securing of master key on Windows.

[phoerious]

Not yet, but we are in the process of migrating to the Windows toolchain, so that may open up opportunities to implement Hello.

[issuehunt-oss[bot]]

An anonymous user has funded $20.00 to this issue.

---

• Submit pull request via IssueHunt to receive this reward.
• Want to contribute? Chip in to this issue via IssueHunt.
• Checkout the IssueHunt Issue Explorer to see more funded issues.
• Need help from developers? Add your repository on IssueHunt to raise funds.

[issuehunt-oss[bot]]

An anonymous user has funded $20.00 to this issue.

---

• Submit pull request via IssueHunt to receive this reward.
• Want to contribute? Chip in to this issue via IssueHunt.
• Checkout the IssueHunt Issue Explorer to see more funded issues.
• Need help from developers? Add your repository on IssueHunt to raise funds.

[smlu]

@phoerious, I managed to get Window Hello working directly via Win32 API, using Cryptography API and Windows Credential API. In short, the persistent symmetric encryption key is generated and stored by Microsoft Passport storage provider, this key is used to encrypt KeePassXC master password. The encrypted key is then stored in windows credential manager. To decrypt encrypted key user must authenticate via Windows Hello and decrypted key is then passed back to the app.

I have the implementation almost ready, just need to handle few more things. But if desired, I can make PR now and push updates later before it's merged.

This is how it looks in action:

[droidmonkey]

Thats amazing. I don't like the UI but don't care because the backend work is what matters. We can clean up the interface later. You'll earn both bounties for this.

[goetzc]

@droidmonkey what about the Linux support? As there is a Windows-specific issue https://github.com/keepassxreboot/keepassxc/issues/2462 for it, with the IssueHunt https://issuehunt.io/r/keepassxreboot/keepassxc/issues/2462

My point is that I contributed to the bounties for Linux support, and have posted comments on this thread mentioning Linux, I'm personally not interested in Windows.

[droidmonkey]

Thank you for your contributions. I doubt greatly anyone is going to implement both Windows and Linux to gain this bounty. Linux is far harder since there is no guarantee of performance and no crypto store like what windows hello provides. There is no bounty on the windows hello issue, thus this bounty applies since this is the generic issue.

[phoerious]

@smlu That's great. Submit the PR and add your updates over time. That's always better than submitting the finished thing in one big (or bug) update, since we can have a look at it early.

As for @goetzc's concerns, I would suggest you build a generic API around it that also abstracts away macOS TouchID, which is already supported. We can then replace the -DWITH_XC_TOUCHID compile flag with a more generic -DWITH_XC_FINGERPRINT flag and contribute a libfprint implementation for Linux later. It's a freedesktop project that aims to support most readers on Linux and it looks actively maintained, so we can give it a shot.

[smlu]

@phoerious @droidmonkey I'll make PR and we can discus further details over Windows Hello implementation there.

As for bounty goes, I don't want it :). I've just recently discovered this awesome project and noticed that windows hello support is missing. I intended to write support for it no matter if there is a bounty or not. (I just wrote in this thread because #2462 is locked and I didn't want open new issue or preliminary make PR). Therefore, I donate any bounty to you guys!

[issuehunt-oss[bot]]

@goetzc has cancelled funding for this issue.(Cancelled amount: $55.00) See it on IssueHunt

[goetzc]

Created a Linux-specific ticket, to avoid any further confusion with the Windows ticket 😄

Might be worth adding both ticket links to the first comment on this same issue?

[ghost]

@phoerious, I managed to get Window Hello working directly via Win32 API, using Cryptography API and Windows Credential API. In short, the persistent symmetric encryption key is generated and stored by Microsoft Passport storage provider, this key is used to encrypt KeePassXC master password. The encrypted key is then stored in windows credential manager. To decrypt encrypted key user must authenticate via Windows Hello and decrypted key is then passed back to the app.

I have the implementation almost ready, just need to handle few more things. But if desired, I can make PR now and push updates later before it's merged.

This is how it looks in action:

Wow! Great! Can't wait for this to be available!

[smlu]

@Yoann166, if you're able to use Visual Studio and compile the code yourself, you can clone my win-dev branch and try it out.

[Plinsboorg]

Is someone working on it? Looks like there is some solution that needs to be checked. I'm also waiting for this feature.

[droidmonkey]

It's been worked, we have other things to work on first before this becomes a reality.

[issuehunt-oss[bot]]

@kbarnawi has funded $5.00 to this issue.

---

• Submit pull request via IssueHunt to receive this reward.
• Want to contribute? Chip in to this issue via IssueHunt.
• Checkout the IssueHunt Issue Explorer to see more funded issues.
• Need help from developers? Add your repository on IssueHunt to raise funds.

[issuehunt-oss[bot]]

@githubuser325 has funded $20.00 to this issue.

---

• Submit pull request via IssueHunt to receive this reward.
• Want to contribute? Chip in to this issue via IssueHunt.
• Checkout the IssueHunt Issue Explorer to see more funded issues.
• Need help from developers? Add your repository on IssueHunt to raise funds.

[QuAzI]

Any plans to release it?

[GitHubUser325]

Is there a new status info? I am so eagerly waiting for it :(

[michaelk83]

Is there a new status info?

1. MacOS TouchID is already suported.
2. Need to finish the Visual Studio build support (#5874). It was waiting on the Botan refactor, which is now merged. @smlu updated the PR in Apr, so it's awaiting review. done
3. After that, Windows Hello support (#6029) can be continued. replaced by #7384 .
4. Combining MacOS TouchID and Windows Hello code, a common interface needs to be implemented (may be part of #6029 #7384 ?)
5. Finally, Linux support via fprint (#5991) can be implemented on top of that common interface.

[michaelk83]

@smlu Could you maybe pull out the common interface to its own PR without the Visual Studio dependency? Then it can be merged more quickly, and someone on Linux can try tackling that side without waiting for Windows Hello.

[smlu]

The #6029 draft PR should probably work also with latest mingw that supports C++17 standard or newer. The suggested VS PR requirement is due to the fact the WindowsHello patch was built with VisualStudio (as probably every new KPXC Windows release should be :) and was not tested with other compilers.

There are still few things that should be considered before #6029 is merged:

• KPXC database migration procedure. When master key for the DB is stored in windows credentials (WindowsHello encrypts the master key and encrypted key is stored on the system via windows credential API), it's mapped under the absolute database file path. If user moves the DB file to another location the master key is preserved in the windows credential storage but the KPXC looses the knowledge of it. Windows credential storage API might help mitigate this problem, specifically CredEnumerate, but I haven't tested so I can't comment.
• Implement storing of master keys for 1Password vault and KeePass 1 DB
• Implement resting of WindowsHello storage for stored KPXC master keys from command line. When KPXC is uninstalled from the user's Windows machine all stored (encrypted) master keys should also be deleted from the windows credential storage. This could be achieved through uninstaller by calling reset command on KPXC or kpxc-cli.

• Common interface for system key storage (WindowsHello, Touch ID, Linux...). This could be pushed to another PR on top of #6029.

  Unfortunately, I was very busy these few months and I was not able to continue the work on PR #6029 but I'm planning to resume. I was also hoping for some sort of review or suggestion comments on #6029 before I continue the work.

[michaelk83]

What I'm suggesting is that the Linux side doesn't need the whole of #6029, which can still take a while. It only needs the common bits:

Common interface for system key storage (WindowsHello, Touch ID, Linux...).

Aka step 4 in my above TODO list.
If that can be extracted and merged separately, then the Linux side can progress in parallel (if someone picks it up).

This could be pushed to another PR on top of #6029.

The idea is to flip that around: pull that to its own PR without the dependencies, merge it, then have #6029 depend on that (+ on Visual Studio, as currently).

[smlu]

I agree, the common system key storage interface should probably be done in another PR and the rest built around it. Note though, the #6029 doesn't contain any such interface at the moment. The WindowHello related code is intertwined in preproc macros in the UI code base.

I'm also willing to make the PR for such interface (if nobody else will), but I'll need some more input from the community and maintainers before I begin.