Keepassxc: Touch ID Support on new MacBook Pro

Can you link to an API or perhaps a Qt extension?

Doesn't look too hard https://developer.apple.com/reference/localauthentication

This will include platform dependent code in the project (on Gnu/linux and windows there is no TouchID).
We should discuss this

Hardware support always needs platform dependent code. Perhaps you could make an abstraction and use system-provided APIs for each platform. fprint on GNU/Linux, Windows Biometric Framework on Windows, TouchID on macOS.

I support @dobegor's proposal. TouchID would greatly enhance the usability.

@TheZ3ro & @dobegor did you discuss about this great new feature?

+1 for improved usability for those with TouchID MBPs.

Would this also scale to fingerprint reading on iPhone and Android? None of the keepasss variants for mobile support fingerprint.

@droidmonkey, MiniKeepass supports Touch Id on iPhones.

Did you think about that feature? If you would add option to use fingerprint as password equivalent (so I could use my finger or password) on Windows, then I would definitely use it! For now I will probably use some workaround with software, which my fingerprint's manufacturer provides.

Keepass2android too can be configured to use fingerprint access.

On 1 Dec 2017 2:23 am, "Jonathan White" notifications@github.com wrote:

Would this also scale to fingerprint reading on iPhone and Android? None
of the keepasss variants for mobile support fingerprint.

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
https://github.com/keepassxreboot/keepassxc/issues/209#issuecomment-348373973,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AMqpZC4IhJ3krklV-dYOi4ndni86TIsHks5s71T4gaJpZM4LtKY_
.

Well newer MBPs features a secure element which is capable of saving an secure key, which is readable after Touch ID Authentification.
https://developer.apple.com/documentation/security/certificate_key_and_trust_services/keys/storing_keys_in_the_secure_enclave

https://developer.apple.com/library/content/samplecode/KeychainTouchID/Listings/KeychainTouchID_AAPLKeychainTestsViewController_m.html

Due to my research Codesigning is a requirement for that.

I've done a first proof of concept which works out pretty good I'm going to publish the code soon

https://github.com/wiomoc/keepassxc/tree/feature/TouchID
As I mentioned earlier this needs Codesigning

sudo codesign --deep -f -s "Mac Developer: ...(**XYZ**)" --entitlements ../share/macosx/keepassxc.entitlements  src/KeePassXC.app

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
    <key>com.apple.application-identifier</key>
    <string>**XYZ**.org.keepassx.keepassxc</string>
    <key>com.apple.developer.team-identifier</key>
    <string>**XYZ**</string>
    <key>com.apple.developer.aps-environment</key>
    <string>production</string>
    <key>com.apple.security.network.client</key>
    <true/>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.print</key>
    <true/>
    <key>com.apple.security.app-sandbox</key>
    <false/>
    <key>keychain-access-groups</key>
    <array>
        <string>**XYZ**.org.keepassx.keepassxc</string>
    </array>
    <key>com.apple.security.files.user-selected.read-only</key>
    <false/>
    </dict>
</plist>

Any progress on this?
I would like to see fingerprint unlocking on Linux. too. I love it in my Android app. It also would be a great security enhancement. I tend to have the database open most of the time. If there where fingerprint unlocking I would lock the db immediately after each use.
Is the code signing the biggest obstacle?

I updated @wiomoc's solution a bit further and adapted it to the current state of the official development branch:

Features

• TouchID is a option that can be activated on the unlock screen
  
• TouchID is only used for temporary quick unlock
  
  
  
  • Database has to be unlocked once after restart of the application in order to activate quick unlock using TouchID
  
  
• TouchID quick unlock only replaces the password part of the unlock process
  
  
  
  • With quick unlock activated the password will be encrypted (AES 256) and then kept in memory
  
  
  • The random encryption key (and IV) will be protected by the KeyChain using TouchID
  
  
• Next time you don't need to enter your password, just press "OK" to unlock your database with TouchID (however you will still need your additional database key, yubikey, ...)

https://github.com/kolhagen/keepassxc/tree/feature/macos-touchid-support

Compilation

• Use -DWITH_XC_TOUCHID=ON

Possible future enhancements:

• Provide abstraction layer for other OS/fingerprint reader
• Unlock with just putting on fingerprint w/o actively having to click unlock

@kolhagen can you submit as a PR please?

Any news on this making it into an official release?
Sorry, didn't notice the reference _right above the comment box_, I'm glad there is progress!

Merged into develop with #1851