Keepassxc: Feature Request: Windows Hello support

I like your proposal, but only for supporting #488.

Here is the ugly truth about fingerprint and other biometrics. They are NOT a password! They are your USERNAME. Biometrics "prove" that you are who you say you are. They DO NOT prove what you know (ie, your password). KeePass2Android uses your biometrics to store/retrieve your password in the Android KeyStore system (https://developer.android.com/training/articles/keystore). When you present your fingerprint, it extracts the password from the store and types it into the password field.

I'm no developer, and as such I have no idea if Windows Hello implements their biometrics as a password the same way as android does.
Nonetheless, even tho it might be considered less secure, I think it's a feature a lot of people would like to use.

Same goes for OTP, whats the use of 2FA if you username, password and OTP are in the same application.
(then again, that question is answered in the FAQ).
I think security always will be about making it harder to get to data, but not so much as to make it too hard to actually be useful.
A house filled with concrete will not get broken into, but it's hard living in ;)

Anyhow, looking forward to seeing whether this feature request get's implemented :)

The equivalent on PC is a TPM chip, which is a hardware based encryption and key storage device soldered to your motherboard. It could be possible to use Windows Hello to authenticate a request to the TPM chip which would give back the credentials for your database, similar to how KeePass2Android works.

I want use Windows hello too.

I'd also love the integration of Windows Hello.

There is a plugin for windows hello with keepass 2. It would be great to have this feature in keepassxc

I suppose this feature is similar to the one that was added (but not yet released) to add TouchID support on macOS:

Add support for quick unlock with TouchID on Macbook Pro (#1851)

What's the status on this? Fingerprint support would be great.

As I'm currently interested in Windows implementation (where the database locks with the workstation and I have to unlock it many times a day), here are some references from KeePass plugins:

https://github.com/sirAndros/KeePassWinHello
https://github.com/Angelelz/WinHelloUnlock

Even though these are written in dotNet, hope this can be useful as an API reference.

@MisterY how it works for keepassxc. It be will work in keepassxc now? I want use my fingerprint device on my laptop now! I think it not work now.

This is not currently an available feature in KeePassXC. I am going to make an attempt to integrate this along with Quick Unlock for 2.6.0.

@droidmonkey, this will be much appreciated :)

This is the only missing feature for me. For a long time i want to switch from keepass to Keepassxc

Ya'll gonna be waiting forever because it's not looking possible. Windows Hello is for UWP apps only.

Ya'll gonna be waiting forever because it's not looking possible. Windows Hello is for UWP apps only.

I am not a programmer in any way, but there is a keepass2 plugin that adds windows Hello support to keepass2..
As far as I know keepass2 is not a UWP
I'm not sure how they do it, bit it might just be possible.

Then again, it doesn't have any priority for me, since I have moved to bitwarden

Keepass2 is C#.

Written in, then compiled, just like any other (Windows) program.

Wrong. Not like ANY other. C# is still .NET and the UWP/WINRT APIs are .NET APIs and not available in C++ except for maybe with cppwinrt, which is still problematic without the VCpp toolchain. We can of course load DLLs, but we certainly don't want to GetProcAddress() the whole WINRT API.

The library you linked is a C# library. 🙄

What about the microsoft biometrics framework wich is still used in LastPass (even if we cant see how) ?

Thank you for your insightful contribution. Come back when you have a C++ interface for us.