Bypass biometrics by killing the window

[xpusostomos]

Overview

When you start keepassxc on Windows it asks for your passkey, and then it asks for your biometrics (aka fingerprint).

I'm not quite sure why it needs biometrics if you know the passkey, but be that as it may, if instead of entering your fingerprint, you just kill that window by pressing the "X" in the top corner, you go into keepassxc normally

Steps to Reproduce

1. Freshly start keepassxc on windows that has biometrics.
2. enter password
3. When windows prompts for your fingerprint, kill that window by clicking the "X"

Expected Behavior

If it's going to ask for your biometrics, then presumably it shouldn't allow you to bypass it.

Actual Behavior

you get into keeepassxc with no biometrics

KeePassXC - Version 2.7.5
Revision: 9d0537b

Qt 5.15.9
Debugging mode is disabled.

Operating system: Windows 11 Version 2009
CPU architecture: x86_64
Kernel: winnt 10.0.22621

Enabled extensions:

• Auto-Type
• Browser Integration
• SSH Agent
• KeeShare
• YubiKey
• Quick Unlock

Cryptographic libraries:

• Botan 2.19.3

[droidmonkey]

https://keepassxc.org/docs/KeePassXC_UserGuide#_quick_unlock

[xpusostomos]

@droidmonkey If that link you added has any relevance to what I reported, it's certainly not clear to me. OK, it says "I may be asked" to "access the hardware certificate store that encrypts your credentials."... ok, well I didn't enter it, I bypassed it. Now what?

[droidmonkey]

You just canceled using quick unlock....

[xpusostomos]

@droidmonkey it wasn't quick unlock because I just entered my password. If you're saying I disabled future quick unlock, shouldn't there be a user message, "future quick unlock won't be available. Reenable by selecting blah blah menu option"? (Is there an option?)

[droidmonkey]

Canceling the Windows Hello prompt just doesn't enable quick unlock for the session. The next time you go to unlock the database you'll be asked for windows hello again.

[xpusostomos]

I see this has been reported before #8897 because it's completely brain dead and unintuitive.

There's a few issues at play here which at a bare minimum need explaining to everybody... and possibly changing, but at least explaining...

1. If credentials are stored in a "hardware certificate store", why do I need to enter the passcode when I open the app? If I kill Keepass2Android on an Android device, then restart it, I don't have to enter my passcode again.
2. Why does it need to access the hardware certificate store on opening the app, since you just entered your passcode? Passcode is enough to decrypt the database, so why not wait till its locked, and the user wants to get back in before accessing the hardware store?
3. If the answer to the above is because the hardware store does not survive a restart of the app, what use is it, why doesn't the app just keep what it needs in memory?
4. Clearly users don't understand what is going on, so if for some crazy reason all of the above actually makes sense, why not tell the user via some kind of message that their refusal to enter credentials has disabled quick unlock, instead of silently looking like you bypassed security. I don't know if the windows dialog can be customlised, but if not a message could be shown on the password screen saying "You are now being asked for biometrics for quick unlock. If you do not provide it, quick unlock will be disabled".

[droidmonkey]

Thanks we'll consider your feedback

[michaelk83]

I see this has been reported before

This is one of the most reported issues on this board:

This issue, Jun 6
#9460 May 21
#9405 May 8
#9292 Apr 4
#9012 Jan 19
#8897 Dec 17 (2022)
#8883 Dec 11
#8862 Dec 4
#8562 Oct 10
#8422 Aug 29
#8365 Aug 14
#8344 Aug 9
#8150 Jun 14
#8141 Jun 12
#7886 Apr 13
#7841 Apr 9
(Windows Hello support was introduced on Mar 22, 2022)

This is all from just a single search term, is:issue cancel. It may have missed a few.

I agree this is very confusing to users. I've said before that this should either be opt-in, or at the very least triggered by an explicit user action to enable QuickUnlock, such as clicking a clearly labeled button or checking an "Enable QuickUnlock" checkbox. Just filling in your credentials is not explicit enough.

The user guide should also be clarified. At least this:

On Windows you will be prompted to authenticate to Windows Hello on the initial database unlock. This is required to access the hardware certificate store that encrypts your credentials.

Should read: "... This is required to store your credentials in a secure hardware store. Canceling this operation will simply not enable Quick Unlock."

The guide should also mention the relevant setting: "To disable Quick Unlock, go to ... and uncheck ..."

@xpusostomos , to answer your questions to the best of my understanding:

1. You need to enter the passcode as long as Quick Unlock is not activated. That first WinHello prompt is in oder to store the credentials in the hardware store, which would then allow Quick Unlock to use them from that point on. The credentials are not stored in the hardware store until that point, and they're not stored if you click cancel on that prompt.
2. The first prompt is in order to store your credentials in the hardware store for later use.
3. It does not currently survive a restart (I think that's covered by Optional FULL unlock using fingerprint #7020), however, you can still use Quick Unlock if you lock and unlock your database multiple times while the app is running. The recommended usage is to not keep it unlocked longer than necessary. Storing the credentials in memory is not secure.
4. I think the Windows Hello form cannot be customized. As I said, it should ideally be triggered by an explicit user action (such that it's clear to the user that they'll be triggering Quick Unlock) and the documentation should be clarified. Providing an additional explanation within the app is also not a bad idea, IMO.