Optional FULL unlock using fingerprint

[DownrightNifty]

Summary

Currently, you can enable fingerprint (Touch ID on macOS) for quick unlock. I'm proposing an optional setting that allows unlocking the entire database with just your fingerprint. This obviously decreases security, so the user should be warned and discouraged from enabling this. It would be helpful to provide the user with information on by exactly how much enabling this feature will decrease their security and what new risks they are exposed to (e.g. perhaps it's easier for a laptop thief to access their database).

Context

Some users should not enable this feature. For example, if you use KeePassXC on an OS without an encrypted filesystem or secure secret storage service (e.g. Keychain on macOS), you might be opening yourself up to certain attacks. But I use an up-to-date version of macOS with FileVault disk encryption enabled, so I'm not personally concerned about this.

macOS' Keychain is designed to store extremely sensitive data in a secure manner. Safari saves passwords directly in the Keychain database, for example. Chrome saves the encryption key for saved passwords in Keychain.

Ironically, I think in my case, the lack of this feature actually decreases my security. I end up relying on my browser's password manager for frequently used passwords because I don't want to go through the trouble of typing out my long database password every time I need them. I don't ever keep KeePass running in the background (I always just quit the app after accessing the one password I need at a time), so the quick unlock feature is completely useless to me. I've even considered shortening my database password because entering it is so annoying. But I sync my database to Google Drive, so I don't want to decrease the strength of the encryption by decreasing my password length.

I use KeePass2Android on my phone and it has support both for fingerprint quick unlock and full unlock. I would love to see the same feature implemented in KeePassXC!

[droidmonkey]

Why don't you leave keepassxc running? Seems like an easy win and you get most of the feature you want.

[DownrightNifty]

I just prefer to quit apps when I'm not using them, so they don't unnecessarily use up any memory or battery life. I imagine KeePass uses barely any resources while idle, but I'd still prefer not to have it open because I rarely even need to use it (since my browser cookies are usually sufficient to keep me signed in for quite a while) and because it gets in the way (e.g. it shows up in Cmd+Tab alongside the programs I'm actually using at the time, which is distracting).

[droidmonkey]

You could enable the test icon and minimize/ close to tray. Just offering alternatives until this is implemented.

[Plinsboorg]

Please, make this feature possible. This feature will make the XC password manager much more convenient for everyday users like me.

[phoerious]

I don't like it. Biometrics don't replace passwords, since they are easy to steal and impossible to change. A database encrypted on one device will also most likely not be transferrable to another device, since the key stored in the system key chain is auto-generated and random.

[droidmonkey]

This is more about storing quick unlock encrypted payload into the OS credential store. That way we can pull it out of the store on app load and support quick unlock immediately. I have a UI change in mind to support this per database while making the choice obvious to end users.

[Plinsboorg]

@droidmonkey Thank you for your reply. I was a little disappointed to not see this feature in the plan for the 2.8.0 release. Can we expect it anytime soon?

[drawingthesun]

Strongbox has this feature, I really wish there was a way we could get it in XC.

Even if we had to compile a custom build? If the change is an easy one...

[smlu]

Even if we had to compile a custom build? If the change is an easy one...

@drawingthesun see #6029. Unmaintained branch is still up at https://github.com/smlu/keepassxc/tree/feature/windows-hello . It will require some refactoring to get the latest stuff in, tho.

[v3DJG6GL]

Hello everyone :) Has there been any recent progress on full unlock with Windows Hello? I haven't seen any recent commits. The lack of this feature is the only reason I haven't switched to KeePassXC yet. I know there might be some security risks. But by no means in every scenario: I would love to deploy KeePassXC in a small business. The employees need a passwordless workflow, as they somehow can't remember an 8+ character password - otherwise they stick the passwords next to the monitor, for example, which is terrible security-wise.

Anyway, thanks for the great effort you put into maintaining this application!

[droidmonkey]

The employees need a passwordless workflow

Then use yubikeys or key files. Windows hello is not a passwordless workflow and does not move with you between machines.

[v3DJG6GL]

Then use yubikeys or key files. Windows hello is not a passwordless workflow and does not move with you between machines.

Yubikeys are not so practical in our setup: we would still need a place to keep the Yubikey, and I doubt that would work for long. The key would get lost or misplaced very quickly.

Windows Hello, on the other hand, is - in our example - virtually passwordless, since we use fingerprint readers in combination with Windows Hello. These are very accurate and we almost never need a password or PIN to log in.

And since we have one user login for all users on these computers (and also plan to use one password database for all users), the Windows Hello approach might be the easiest way for employees since they are not as tech-savvy ;)

[droidmonkey]

Egad, at least you are aiming to use keepassxc 😆

I do plan to build support for always available windows hello, I will try to get that in as my next major PR.

[v3DJG6GL]

Egad, at least you are aiming to use keepassxc 😆

Well, I love KeePassXC in every way - except for this feature, which I miss a little ;)

I do plan to build support for always available windows hello, I will try to get that in as my next major PR.

yay, thank you very much!

[Plinsboorg]

Thank you @droidmonkey I've also been waiting for this feature for half a year already. Is there any way to donate to you directly or to a bounty for this feature?

[TonyInTokyo]

Egad, at least you are aiming to use keepassxc 😆

I do plan to build support for always available windows hello, I will try to get that in as my next major PR.

Please, include this feature in macOS as well. Thank you!

[v3DJG6GL]

so this feature is obviously postponed - what are the reasons? 🥺

[garpunkal]

I would love this feature too, just installed keepassxc and I was a little confused why I had to entry password and fingerprint once I'd enabled biometrics. I'd previously used a plugin for keepass that allowed full unlock with windows hello.

[TonyInTokyo]

When will this be implemented or in which version will this be implemented?

[mvasiliiv]

Can someone tell me how to enable full fingerprint unlock?

[phoerious]

It's not implemented yet. Please read the previous messages.

[mvasiliiv]

I'm sorry, but it's very hard for me to take the previous messages, since I use a translator. Perhaps there is at least an approximate date when this functionality will appear?

[phoerious]

No.

[mvasiliiv]

It's a pity, maybe there is a working plugin from a third-party developer?

[andylundqvist]

I'm trying to move away from Bitwarden but not having Touch ID (on Mac) for a cold login (as an option, mind you) is stopping the move for me. I close apps I do not currently use and I have a long, complex password, so Touch ID would be a huge help.

Too bad, I hope you'll work on it/reconsider, the software otherwise seems excellent!

[jdrch]

Chiming in here to say that the lack of full unlock using Windows Hello and child database support is preventing me from switching to KeePassXC too.

[mvasiliiv]

Hello, is there any information when the full fingerprint unlock feature will be added? It's terribly inconvenient without her!

[jdrch]

Per @phoerious they're not implementing it, perhaps because KeePassXC's development is Linux-centric. If you want that feature, use KeePass + the WinHelloUnlock plugin.

[droidmonkey]

I've implemented it on a draft branch for Windows and MacOS. We cannot (won't) implement full unlock with fingerprint for Linux because Linux does not have a hardware backed key store solution. At least not a standard one.

https://github.com/keepassxreboot/keepassxc/compare/develop...feature/remember-quickunlock

I need to push my latest changes to this branch, but this is the start.

[DownrightNifty]

Thanks for getting around to this! Personally, I ended up migrating from Google Drive to Syncthing (end-to-end encrypted) for my password database, so I was able to shorten the password length. Now it's not so bad to type in every time. This will be handy for those with complicated passwords, though.

[jdrch]

I've implemented it on a draft branch for Windows and MacOS

Thanks! Looking forward to seeing it in a release version :)

[qkz3es]

I downloaded the latest version Release 2.7.7, which supports touchid feature on macos, but I still have to enter a password when I open it for the first time. Is there a way to solve this problem so that I can use touchid when I open it for the first time?

[Plinsboorg]

I downloaded the latest version Release 2.7.7, which supports touchid feature on macos, but I still have to enter a password when I open it for the first time. Is there a way to solve this problem so that I can use touchid when I open it for the first time?

Hi. this feature is implemented in the following branch https://github.com/keepassxreboot/keepassxc/tree/feature/remember-quickunlock

it is still not merged to the main. So it's ok that you don't see it in the latest release.

I tried to build the mentioned branch from sources but it didn't work for me as you can see in this discussion https://github.com/keepassxreboot/keepassxc/discussions/9290

so we need to wait until this branch will be merged.

[NilsRo]

Any news about this? The branch is not updated for a while. Hoped to see that in 2.8.0...

[droidmonkey]

It'll be resurrected for 2.8.0. I developed it and personally want it as a feature.

[Ironfist69]

It'll be resurrected for 2.8.0. I developed it and personally want it as a feature.

Using the 2.8.0-snapshot. It still prompts for Master Password after reboot

[Zamtakk]

Just adding my voice to the pile, I'm also using Bitwarden but would like to switch. Because I have quite a bad case of RSI I want to keep keystrokes to a minimum, I can live with the slight degrade in security if I can unlock my database with my fingerprint instead of password on cold boot.

I will check this thread once in a while to see when it has been pushed to main.