Quick unlock with apple watch not working

[Maiux92]

Overview

I am not able to use the quick unlock feature with an apple watch (support introduced in KeepassXC 2.7.0)
I am using a MacBook Pro (13-inch, 2020, Four Thunderbolt 3 ports, Intel version) with OSX Monterey 12.3 and an Apple Watch Series 7 with watchOS 8.5, both with the same apple id.

Note that I am able to login into my mac with the apple watch and to unlock other applications (e.g., bitwarden).

Steps to Reproduce

1. Wear your apple watch (make sure it is unlocked)
2. Open a database using its password
3. Lock the database
4. Click "Unlock Database"

Expected Behavior

After clicking "Unlock Database", I should receive a prompt/notification on the apple watch to unlock the database.

Actual Behavior

• With macbook lid open: after clicking "Unlock Database", KeePassXC asks for touch id and no notification is shown on the apple watch.
• With macbook lid closed (I am using only an external monitor):
  • Database initially opened with its password when lid was open: after clicking "Unlock Database", KeePassXC shows an error stating "Failed to authenticate with touch id".
  • Database initially opened with its password when lid was closed: KeePassXC does not show the "Unlock Database" button and asks for the database password again.

Context

KeePassXC - Version 2.7.0
Revision: d7a9ef4

Qt 5.15.2
Debugging mode is disabled.

Operating system: macOS 12.3
CPU architecture: x86_64
Kernel: darwin 21.4.0

Enabled extensions:

• Auto-Type
• Browser Integration
• SSH Agent
• KeeShare
• YubiKey
• Quick Unlock

Cryptographic libraries:

• Botan 2.19.1

Operating System: macOS

[chent11]

Same on MacBook Pro 2019 16' Intel

[droidmonkey]

Need to test this one again

[droidmonkey]

Pretty sure we are missing kSecAccessControlOr

Our access control settings should be:

kSecAccessControlWatch | kSecAccessControlOr | kSecAccessControlBiometryCurrentSet

I think in its current setup you need to present BOTH the watch and biometric

[pinguinpfleger]

I don't see this feature at all on my MacBook (Retina, 12-inch, 2017) macOS 12.4 (21F79)
I can unlock / login with Apple Watch and it also works with the app enpass but with keepassxc I even don't see this feature in the settings.

[yowidin]

Pretty sure we are missing kSecAccessControlOr

Our access control settings should be:

kSecAccessControlWatch | kSecAccessControlOr | kSecAccessControlBiometryCurrentSet

I think in its current setup you need to present BOTH the watch and biometric

Just tested it, adding kSecAccessControlOr fixes the issue.
Here is the full call:

        sacObject = SecAccessControlCreateWithFlags(kCFAllocatorDefault,
                                                    kSecAttrAccessibleWhenUnlockedThisDeviceOnly,
                                                    kSecAccessControlBiometryCurrentSet | kSecAccessControlOr | kSecAccessControlWatch,
                                                    &error);

[droidmonkey]

Will be made for 2.7.2 release

[droidmonkey]

Wait a sec, I am confused, we already have kSecAccessControlOr in the code since the original commit:

keepassxc/src/touchid/TouchID.mm

Lines 102 to 105 in dab6d94

	sacObject = SecAccessControlCreateWithFlags(kCFAllocatorDefault,
	kSecAttrAccessibleWhenUnlockedThisDeviceOnly,
	kSecAccessControlOr | kSecAccessControlBiometryCurrentSet | kSecAccessControlWatch,
	&error);

[yowidin]

You are right. I think the real culprit is this line here: this feature requires macOS 10.15, but the release script uses 10.13.

My initial test worked because I targeted my own OS version with 12.3. I just did a sanity check and tested two separate builds: one targeting 10.13 and one targeting 10.15. On 10.13 unlocking with an apple watch did not work, on 10.15 it did.

The download page also states (macOS 10.15+) so I think that the release tool should be fixed.

[droidmonkey]

That makes perfect sense

@phoerious see above

[phoerious]

Is there any way around this? People get angry every time we bump the release target, particularly within a patch release.

[droidmonkey]

I don't think there is in this case because the watch flag api is strongly guarded by a 10.15 minimum on apple's side.

[yowidin]

Just checked: removing the following compiler check allows targeting 10.13 and still have the functional watch unlock.

But I'm not that familiar with the macOS-specific build implications: I can only test it on a newer OS (12.3) and I don't know what will happen on an older system.

A cleaner solution would probably be to use something like try_compile to check whether the flags (or the whole module) is supported on a given system while generating the build system and then use an extra config definition at the build time.

[droidmonkey]

That check was put in to appease the "build on every outdated macos possible" crowd. I'm all on favor of nuking it.

[yowidin]

Well, there is no need in nuking it right away :) It can be worked around with some CMake magic, which in turn can make the whole module a bit cleaner.

[droidmonkey]

Wouldn't mind a pr for that then

[yowidin]

I started working on the PR and found out that there is another problem with the current TouchID implementation.

Even after changing the MACOSX_DEPLOYMENT_TARGET value the current implementation still won't work on a device without a fingerprint sensor. After testing on another device it seems like adding the kSecAccessControlBiometryCurrentSet flag on a device without a fingerprint sensor will result in an error upon trying to add a keychain entry.

I could try to fix this issue by refactoring the whole TouchID implementation (adding some internal states, runtime checks and some other stuff), but this won't be a small PR we discussed earlier. I hope that's OK with you folks :)

[michaelk83]

If you're going to refactor TouchID, keep in mind interface compatibility with the Windows Hello code. There were plans to abstract them to a common interface. (See #3337)

[ifnotak]

This works like charm in 2.7.3 but not in 2.7.4, same problem as in issue description. Downgrading to 2.7.3 fixed it again. Diffing 2.7.4 against 2.7.3, only a small change in TouchID.h but I am not an expert to judge. Appreciate some input! Thanks.

[droidmonkey]

There is no reason it wouldn't work in both

[consvs]

I've seen the exact same behavior, described with the Apple Watch, on 2.7.6 with macOS 14.2.1. I've never unlocked the database using the watch before. Since 2 weeks I use external monitors only and the lid is closed. Therefore, I was suddenly prompted to unlock with the watch, but the watch doesn't show any prompt...

Is this really already fixed?

[droidmonkey]

Did you setup your watch to act as an authenticator for you?

https://support.apple.com/en-us/102442

[ifnotak]

I've seen the exact same behavior, described with the Apple Watch, on 2.7.6 with macOS 14.2.1. I've never unlocked the database using the watch before. Since 2 weeks I use external monitors only and the lid is closed. Therefore, I was suddenly prompted to unlock with the watch, but the watch doesn't show any prompt...

Is this really already fixed?

@consvs since I updated, this works again with no issues. I am using 2.7.6 at the moment.

On 2.7.3, and unlike @droidmonkey stated above, this unfortunately does not work. Not an issue anymore since this changed afterwards.

[consvs]

@ifnotak Unfortunately I can't trigger unlocking with the watch anymore. Does this only trigger if the lid is closed or can I force to support TouchID and watch at the same time? (like when I have to unlock the security settings in macOS and I can use either TouchID or the watch)

[consvs]

Did you setup your watch to act as an authenticator for you?

https://support.apple.com/en-us/102442

Yeah, I did that and using the watch since years for unlocking my mac.

[ifnotak]

@consvs the watch is triggered with any kind of authentication that triggers TouchID even if the lid is open. Only when it's closed and TouchID is disconnected, the watch is the only option. Does it not work only for KeePassXC or for all authentications with a TouchID?

[consvs]

This has never worked for me....the first time I discovered this functionality in KeepassXC was within the last two weeks, when I used the Macbook with the lid closed. I'm using the watch to unlock the OS and several functions since years, without problems. But KeePaasXC didn't trigger the watch to unlock ever before, with no version.
Is there a specific setting, that needs to be enabled for this to work properly? Of course quick unlock is enabled.