Keepass2android: [feature] 2 Factor Authentication (Fingerprint + pin)

Created on 5 Jun 2018  ·  6Comments  ·  Source: PhilippC/keepass2android

It would be great a 2FA after the fingerprint, for enhanced security: each one should use long complex password to protect the database, but when using the smartphone this could be problematic. So the fingerprint is a great idea, but anybody could force use to use the fingerprint (or use it inappropriately while we are, for example, unconscious or drunk).
A great solution could be, for example, to require a pin after the fingerprint (less complex then the password, but ensuring robust security).

Most helpful comment

@vertigo220 The main problem with typing the whole password on the phone is that anybody could see/record it (since the keyboard is on the screen and it's slower to type it). So it would be great to use another code, but if its shorter it is also weaker.
If instead I only use the fingerprint, anybody could take advantage of it, for example while I'm unconscious.
That's why I believe that a combination of fingerprint and a short pin would be the perfect match.

PS: the idea of a panic pin would be a great idea, and could be applied to the use of the whole password too (I believe you should open another issue for that)

All 6 comments

吓得我赶紧把支付宝指纹支付关了

I don't think it would help if you're being forced to use your fingerprint, since in such a case you'd also be forced to provide the PIN (a panic PIN would be helpful in such a case, with options when entered to delete the database and to send a text with your location and a user-specified message to user-selected numbers; paranoid, sure, but why not). However, it would be extremely helpful to make it easier and quicker to unlock the database without making it as easy as just a fingerprint. My main concern with using the fingerprint is that the password is stored in the Android KeyStore, which I don't really trust to keep it secure. I don't know if a PIN would just be stored there as well, thereby adding no additional security in that sense, or if it could be stored elsewhere, which _would_ then make the use of fingerprint unlock more secure.

@vertigo220 The main problem with typing the whole password on the phone is that anybody could see/record it (since the keyboard is on the screen and it's slower to type it). So it would be great to use another code, but if its shorter it is also weaker.
If instead I only use the fingerprint, anybody could take advantage of it, for example while I'm unconscious.
That's why I believe that a combination of fingerprint and a short pin would be the perfect match.

PS: the idea of a panic pin would be a great idea, and could be applied to the use of the whole password too (I believe you should open another issue for that)

@PhilippC I think this and #644 are the same... maybe should be merged?

Even better, how about 3FA?

Password + YubiKey OTP + Fingerprint

Even better, how about 3FA?

Password + YubiKey OTP + Fingerprint

Don't forget the keyfile 🤭

Was this page helpful?
0 / 5 - 0 ratings

Related issues

spocko picture spocko  ·  4Comments

madjo80 picture madjo80  ·  5Comments

4-FLOSS-Free-Libre-Open-Source-Software picture 4-FLOSS-Free-Libre-Open-Source-Software  ·  5Comments

metafarion picture metafarion  ·  5Comments

cynicotb picture cynicotb  ·  3Comments