Passbolt 1.17.0-27: Fingerprint cannot be activated within a work profile.

[schmidicom]

When I try to activate the fingerprint in the Passbolt app settings, I get the error message "Keystore key generation failed". I use the app within a work profile (Google also calls this “Android Enterprise”) from my employer. If I use the app outside of the work profile, the fingerprint works. With other apps, the fingerprint also works within the work profile, which is why it cannot be an Android Enterprise error.

Here is a link to the debug log: https://drive.google.com/file/d/1YJnijMq7HOWtwac_6IJhlJxIJ4dNa7NT/view?usp=sharing

[gw86]

I attempted to recreate this scenario, but was unsuccessful. We have FP4 available, so I created an additional profile, and everything worked fine on it. We will continue investigating, but in the meantime, you may find workarounds from another user (with a similar logged error) helpful. These are summarised in the Workarounds section here: https://stackoverflow.com/questions/70881446/why-do-i-get-key-user-not-authenticated-after-removing-a-fingerprint-from-pixe. Additionally, you can try deleting and reinstalling the Passbolt app once again.

[marcin-michalek-miquido]

Looking at the logs:

Caused by:
    0: In store_new_key.
    1: In store_new_key. Failed to handle super encryption.
    2: In handle_super_encryption_on_key_init. Failed to super encrypt with LskfBound key.
    3: In super_encrypt. LSKF is not setup for the user.

The explanation seems to be here https://android.googlesource.com/platform/frameworks/base/+/master/keystore/java/android/security/KeyStoreException.java#56

Do you have a lock screen set up on your device (with strong protection) for the work profile? If not, can you set one and re-check?

[schmidicom]

Do you have a lock screen set up on your device (with strong protection)? If not, can you set one and re-check?

Yes, the lockscreen is set up correctly/uniformly (see link below). And other apps (for example the “Microsoft Authenticator”) that are also installed in the work profile also have no problem using the fingerprint. https://drive.google.com/file/d/1iHE7x3Q-3oLpY2i5gyej-lV5j-xbswEV/view?usp=sharing

[marcin-michalek-miquido]

Is it possible that the admin has to enable the biometry usage per application? I am asking because the log explicitly says 3: In super_encrypt. LSKF is not setup for the user. and according to Google security whitepaper

Lock Screen Knowledge Factor (LSKF): A human-memorable secret, such as a short PIN, a swipe pattern over a 3 x 3 dot grid, or a password. This secret is used to protect the ability to unlock the device locally, and is considered to be a primary (or "strong") authentication factor for the user's local device screen lock.

As for other apps - it may depend - there are various use cases for showing and using biometry. It can be used even without key creation and it can be used with weaker requirements. In our case, we use biometry to create a strong crypto key that is bound to the biometry and LSKF.

[schmidicom]

Is it possible that the admin has to enable the biometry usage per application? I am asking because the log explicitly says 3: In super_encrypt. LSKF is not setup for the user. and according to Google security whitepaper

No. I am an admin for the work profiles managed via "Microsoft Intune" in our company and this setting is not set per app. We have set the minimum password/PIN requirement for the whole device to "Device Default". This "Device Default" is different for each device, but people can still set up a lock that exceeds this minimum.

As for other apps - it may depend - there are various use cases for showing and using biometry. It can be used even without key creation and it can be used with weaker requirements. In our case, we use biometry to create a strong crypto key that is bound to the biometry and LSKF.

I also tried a longer PIN and/or a strong password on my own device but it still doesn't work. And a separate lock screen for private and work profiles hasn't changed anything either. In addition, the “Passbolt” app cannot activate biometrics only within the work profile. If I install the app in the private area, the biometrics works. That says that it can't be the LSKF, otherwise it shouldn't work in both cases?

[marcin-michalek-miquido]

For now, it's hard to tell the cause, because the logs seem to say the opposite of what you describe about the lock screen. Additionally, you mentioned that on the private profile the app works fine on the same device and only on the work profile there is the issue - that may suggest that the work profile uses some different settings.

• can you try to uninstall the app from both profiles and install only on the work profile first?
• can you try on any other device? I belive, for us it will be hard to test and reproduce the issue as we don't have the environment.

[schmidicom]

I'll try out more things and let you know as soon as I have something. But that can take a while...

[marcin-michalek-miquido]

Also from the screenshot translation, I see there is a setting for sth like "use the same lock for work and private profile". It would be great if you could test using two different lock screens (turning this on can lead to disabling of biometry on other installed apps - so best to use a test device).

[schmidicom]

Also from the screenshot translation, I see there is a setting for sth like "use the same lock for work and private profile". It would be great if you could test using two different lock screens (turning this on can lead to disabling of biometry on other installed apps - so best to use a test device).

As I wrote above, I already tried this and it still didn't work. Even removing and adding a new work profile didn't fix the error.

The only thing that helped was a complete reset to factory settings. I have no idea what that was and how something like that could happen.