Why KeePass2Android Quick Unlock is not implemented?

[kcb3]

I would love to switch to this app, but I believe the QUICK LAUNCH from the KEEPASS2ANDROID app is too valuable to give up. I don't feel safe with fingerprint or face rec. Being able to enter a truncated form of my much larger PW for frequent openings would make this app much safer. An unconscious person can easily be used to open any of the biometric security measures.

[J-Jamet]

It has been explained several times why quick unlock will not be implemented. It is not at all more secure because it simply leaves the database open in the background and blocks simple access to the UI.

https://github.com/Kunzisoft/KeePassDX/wiki/Advanced-Unlocking#why-not-quick-unlock

#102 (comment)

[J-Jamet]

You can use the device credential if you don't want to use biometric recognition or simply use an external key file as a second factor on a USB stick for example.

[brettjrob]

I'm a longtime Keepass2Android user checking out this app for this first time, and I'm also missing its quick unlock functionality.

Specifically, what would seem valuable in practice is an optional timeout for the biometric and/or device credential. In other words, strictly require the MP upon first opening the app, but then allow biometric to work for up to X minutes after the db has last been successfully accessed (similar to the KP2A app's quick unlock PIN behavior). After timeout, only MP will work for next access.

The Temp Advanced Unlocking feature may be useful to some, but it only allows saving a one-off credential. If you set it to expire after 5 min, you would have to go through the whole credential configuration process again and again daily.

Although I understand that my request would still involve permanently saving a key associated with biometric/device cred somewhere on local storage, it still seems like the option to restrict its use within the app UI would be of some value in the case of a device stolen by savvy users or acquired by law enforcement, for example.

I could be missing something important, so I'm happy to get a clarification.

[J-Jamet]

Specifically, what would seem valuable in practice is an optional timeout for the biometric and/or device credential. In other words, strictly require the MP upon first opening the app, but then allow biometric to work for up to X minutes after the db has last been successfully accessed (similar to the KP2A app's quick unlock PIN behavior). After timeout, only MP will work for next access.

This is exactly what the Temp advanced unlocking feature does with an appropriate timeout. https://github.com/Kunzisoft/KeePassDX/wiki/Advanced-Unlocking#temporary-encrypted-key-memory

The Temp Advanced Unlocking feature may be useful to some, but it only allows saving a one-off credential. If you set it to expire after 5 min, you would have to go through the whole credential configuration process again and again daily.

I don't see what the problem is. It's that you're asking when you were saying "After timeout, only MP will work for next access." previously otherwise it is the same as using the normal advanced unlocking.

Although I understand that my request ...

I don't see any specific request in your comment, so I don't quite understand.

I could be missing something important, so I'm happy to get a clarification.

Please read the wiki carefully which explains why KeePass2Android's Quick Unlock will not be implemented (to make it short, it's nothing more than leaving the database open and making a UI with a password to display it visually). https://github.com/Kunzisoft/KeePassDX/wiki/Advanced-Unlocking#why-not-quick-unlock

[brettjrob]

@J-Jamet my apologies for not being clearer. I'm specifically requesting that the biometric/device credential is permanently stored once created, but that it can't be used unless the db has already been unlocked recently. Essentially, this would be like biometric unlock in Android (for Pixel): biometric becomes temporarily disabled after a reboot or after the device hasn't been used for a long period of time, then gets re-enabled automatically for some user-defined time period after a successful manual unlock. This would be different than the current Temp Unlock where the credential is permanently deleted after the timeout.

[J-Jamet]

I'm specifically requesting that the biometric/device credential is permanently stored once created, but that it can't be used unless the db has already been unlocked recently.

Biometric functions use the keystore to store encrypted keys, and it is not possible to change the expiration date on the fly of a key in the keystore to restore it later. One of the solutions to accomplish what you say would be to register a time variable but it would be enough to change the time of the device to bypass the functionality so not a secure improvement. You might as well use the normal advanced unlock in this case, if your device takes care of disable the biometric recognition after a restart, it will not work in KeePassDX after this restart.