Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Touch ID Support on new MacBook Pro #209

Closed
nodomain opened this issue Jan 25, 2017 · 19 comments

Comments

Projects
None yet
@nodomain
Copy link

commented Jan 25, 2017

Are there any plans to support TouchID on the new MacBooks? This would be great to unlock the database...

@droidmonkey

This comment has been minimized.

Copy link
Member

commented Jan 26, 2017

Can you link to an API or perhaps a Qt extension?

@nodomain

This comment has been minimized.

Copy link
Author

commented Jan 26, 2017

@TheZ3ro

This comment has been minimized.

Copy link
Contributor

commented Jan 26, 2017

This will include platform dependent code in the project (on Gnu/linux and windows there is no TouchID).
We should discuss this

@TheZ3ro TheZ3ro added discussion and removed new feature labels Jan 26, 2017

@dobegor

This comment has been minimized.

Copy link

commented May 29, 2017

Hardware support always needs platform dependent code. Perhaps you could make an abstraction and use system-provided APIs for each platform. fprint on GNU/Linux, Windows Biometric Framework on Windows, TouchID on macOS.

@nodomain

This comment has been minimized.

Copy link
Author

commented May 30, 2017

I support @dobegor's proposal. TouchID would greatly enhance the usability.

@mimaoffice

This comment has been minimized.

Copy link

commented Sep 6, 2017

@TheZ3ro & @dobegor did you discuss about this great new feature?

@dhrosen

This comment has been minimized.

Copy link

commented Nov 30, 2017

+1 for improved usability for those with TouchID MBPs.

@droidmonkey

This comment has been minimized.

Copy link
Member

commented Dec 1, 2017

Would this also scale to fingerprint reading on iPhone and Android? None of the keepasss variants for mobile support fingerprint.

@scvsh

This comment has been minimized.

Copy link

commented Dec 1, 2017

@droidmonkey, MiniKeepass supports Touch Id on iPhones.

@jack1142

This comment has been minimized.

Copy link

commented Dec 19, 2017

Did you think about that feature? If you would add option to use fingerprint as password equivalent (so I could use my finger or password) on Windows, then I would definitely use it! For now I will probably use some workaround with software, which my fingerprint's manufacturer provides.

@seatedscribe

This comment has been minimized.

Copy link
Contributor

commented Dec 19, 2017

@wiomoc

This comment has been minimized.

Copy link

commented Dec 21, 2017

Well newer MBPs features a secure element which is capable of saving an secure key, which is readable after Touch ID Authentification.
https://developer.apple.com/documentation/security/certificate_key_and_trust_services/keys/storing_keys_in_the_secure_enclave

https://developer.apple.com/library/content/samplecode/KeychainTouchID/Listings/KeychainTouchID_AAPLKeychainTestsViewController_m.html

Due to my research Codesigning is a requirement for that.

@wiomoc

This comment has been minimized.

Copy link

commented Dec 22, 2017

I've done a first proof of concept which works out pretty good I'm going to publish the code soon

@wiomoc

This comment has been minimized.

Copy link

commented Dec 22, 2017

https://github.com/wiomoc/keepassxc/tree/feature/TouchID
As I mentioned earlier this needs Codesigning

sudo codesign --deep -f -s "Mac Developer: ...(**XYZ**)" --entitlements ../share/macosx/keepassxc.entitlements  src/KeePassXC.app
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
	<dict>
	<key>com.apple.application-identifier</key>
	<string>**XYZ**.org.keepassx.keepassxc</string>
	<key>com.apple.developer.team-identifier</key>
	<string>**XYZ**</string>
	<key>com.apple.developer.aps-environment</key>
	<string>production</string>
	<key>com.apple.security.network.client</key>
	<true/>
	<key>com.apple.security.app-sandbox</key>
	<true/>
	<key>com.apple.security.print</key>
	<true/>
	<key>com.apple.security.app-sandbox</key>
	<false/>
	<key>keychain-access-groups</key>
	<array>
		<string>**XYZ**.org.keepassx.keepassxc</string>
	</array>
	<key>com.apple.security.files.user-selected.read-only</key>
	<false/>
    </dict>
</plist>
@paulsommer

This comment has been minimized.

Copy link

commented Mar 19, 2018

Any progress on this?
I would like to see fingerprint unlocking on Linux. too. I love it in my Android app. It also would be a great security enhancement. I tend to have the database open most of the time. If there where fingerprint unlocking I would lock the db immediately after each use.
Is the code signing the biggest obstacle?

@keepassxreboot keepassxreboot deleted a comment from paulsommer Mar 21, 2018

@mxk6n

This comment has been minimized.

Copy link
Contributor

commented Apr 16, 2018

I updated @wiomoc's solution a bit further and adapted it to the current state of the official development branch:

Features

  • TouchID is a option that can be activated on the unlock screen
    image
  • TouchID is only used for temporary quick unlock
    • Database has to be unlocked once after restart of the application in order to activate quick unlock using TouchID
  • TouchID quick unlock only replaces the password part of the unlock process
    • With quick unlock activated the password will be encrypted (AES 256) and then kept in memory
    • The random encryption key (and IV) will be protected by the KeyChain using TouchID
  • Next time you don't need to enter your password, just press "OK" to unlock your database with TouchID (however you will still need your additional database key, yubikey, ...)

https://github.com/kolhagen/keepassxc/tree/feature/macos-touchid-support

Compilation

  • Use -DWITH_XC_TOUCHID=ON

Possible future enhancements:

  • Provide abstraction layer for other OS/fingerprint reader
  • Unlock with just putting on fingerprint w/o actively having to click unlock
@droidmonkey

This comment has been minimized.

Copy link
Member

commented Apr 16, 2018

@kolhagen can you submit as a PR please?

@dnlm

This comment has been minimized.

Copy link

commented Jul 13, 2018

Any news on this making it into an official release?
Sorry, didn't notice the reference right above the comment box, I'm glad there is progress!

@droidmonkey droidmonkey added this to the v2.4.0 milestone Sep 21, 2018

@droidmonkey

This comment has been minimized.

Copy link
Member

commented Sep 21, 2018

Merged into develop with #1851

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.