Keepassxc: TouchId Session expiry

Created on 20 Jun 2020  路  8Comments  路  Source: keepassxreboot/keepassxc

Overview

Upgraded to 2.6.0-beta1, and when the database gets locked for some extended period of time, the touchID session is forgotten

Steps to Reproduce

  1. In the Preferences > Security > Convenience section, make sure that the "Forget TouchID when session..." is unchecked.
  2. In the Preferences > Security > Timeout section, make sure that the "Forget TouchID after inactivity..." is unchecked.
  3. Open a keepass db ensuring that the "TouchID for quick unlock" is already setup and is checked.
  4. Close the laptop for some time (not sure what the threshold is) - seems like > 30 mins or so

Expected Behavior

Upon the threshold expiring, hitting enter on the password field without any data, should have popped up the prompt to allow TouchID to open the DB - this doesn't happen.

Actual Behavior

Keepassxc bypasses the TouchID mechanism for unlocking the db, instead tries to open the db with an empty password.

Context

KeePassXC - Version 2.6.0-beta1
Build Type: PreRelease
Revision: e5b0219

Qt 5.14.1
Debugging mode is disabled.

Operating system: macOS 10.15
CPU architecture: x86_64
Kernel: darwin 19.5.0

Enabled extensions:

  • Auto-Type
  • Browser Integration
  • SSH Agent
  • KeeShare (signed and unsigned sharing)
  • YubiKey
  • TouchID

Cryptographic libraries:
libgcrypt 1.8.5

Operating System: macOS
Desktop Env:
Windowing System:

PRE-RELEASE BUG macOS
Source
picture vraravam
🎉1

All 8 comments

Update - not sure - need to repeat - but, I dont know if I can set it up correctly:

After posting the above, I followed these steps:
1) Toggled on and then off the Preferences > Security > Timeout section, make sure that the "Forget TouchID after inactivity..."
2) kept keepassxc open, and closed the lid of my laptop
3) Opened just now (approx 2hrs later).
4) Hit enter in the blank password field - and it worked as expected ie the "TouchID" prompt dialog popped up!

So, though the issue is "fixed", it might mean that for a db that is being upgraded from an older version of KeepassXC, the default settings and/or how they are read/parsed is somehow incorrect - please check that logic.

vraravam picture vraravam on 20 Jun 2020

I'm not seeing any obvious issues in the configuration code.

droidmonkey picture droidmonkey on 20 Jun 2020

Found the problem:

https://github.com/keepassxreboot/keepassxc/blob/1ad01844735f8de794a5b0f0089fa79067d9e0cd/src/gui/MainWindow.cpp#L1337-L1342

Should be config()->get(Config::Security_ResetTouchId).toBool()

droidmonkey picture droidmonkey on 20 Jun 2020

Truly appreciate the very fast turnaround on this!!!

vraravam picture vraravam on 20 Jun 2020

Can we get a new pre-release candidate with this fix please?

vraravam picture vraravam on 24 Jun 2020

we are going to roll right into a release.

droidmonkey picture droidmonkey on 24 Jun 2020
🎉1

@droidmonkey - when can we get a release with this fix please? Right now, I have to either keep the db open all the time, or forced to enter a really long master password each time I want to unlock it.

vraravam picture vraravam on 5 Jul 2020

Release is tomorrow

droidmonkey picture droidmonkey on 5 Jul 2020
1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

813gan picture 813gan  路  3Comments
shaneknysh picture shaneknysh  路  3Comments
bleepnetworks picture bleepnetworks  路  3Comments
mstarke picture mstarke  路  3Comments
Throne3d picture Throne3d  路  3Comments