Feature Request: Windows Hello support

[Gibletron]

On my Android I use Keepass2Android with support for fingerprint database unlocking.
I would like to request this same functionality on Windows PC's with Hello support.
Windows Hello is a bio metric safety feature used to unlock Windows using for instance a fingerprint or facial recognition.

It would be great to be able to unlock my Keepass with a swipe of my fingerprint sensor, without having to type in a password or anything of the sorts.
Could also be used as an MFA feature, where Windows Hello authentication is required in addition to other authentication methods

[droidmonkey]

I like your proposal, but only for supporting #488.

Here is the ugly truth about fingerprint and other biometrics. They are NOT a password! They are your USERNAME. Biometrics "prove" that you are who you say you are. They DO NOT prove what you know (ie, your password). KeePass2Android uses your biometrics to store/retrieve your password in the Android KeyStore system (https://developer.android.com/training/articles/keystore). When you present your fingerprint, it extracts the password from the store and types it into the password field.

[Gibletron]

I'm no developer, and as such I have no idea if Windows Hello implements their biometrics as a password the same way as android does.
Nonetheless, even tho it might be considered less secure, I think it's a feature a lot of people would like to use.

Same goes for OTP, whats the use of 2FA if you username, password and OTP are in the same application.
(then again, that question is answered in the FAQ).
I think security always will be about making it harder to get to data, but not so much as to make it too hard to actually be useful.
A house filled with concrete will not get broken into, but it's hard living in ;)

Anyhow, looking forward to seeing whether this feature request get's implemented :)

[droidmonkey]

The equivalent on PC is a TPM chip, which is a hardware based encryption and key storage device soldered to your motherboard. It could be possible to use Windows Hello to authenticate a request to the TPM chip which would give back the credentials for your database, similar to how KeePass2Android works.

[x22x22]

I want use Windows hello too.

[tinokorth]

I'd also love the integration of Windows Hello.

[mgabi96]

There is a plugin for windows hello with keepass 2. It would be great to have this feature in keepassxc

[karlhorky]

I suppose this feature is similar to the one that was added (but not yet released) to add TouchID support on macOS:

Add support for quick unlock with TouchID on Macbook Pro (#1851)

[ci70]

What's the status on this? Fingerprint support would be great.

[alensiljak]

As I'm currently interested in Windows implementation (where the database locks with the workstation and I have to unlock it many times a day), here are some references from KeePass plugins:

https://github.com/sirAndros/KeePassWinHello
https://github.com/Angelelz/WinHelloUnlock

Even though these are written in dotNet, hope this can be useful as an API reference.

[userosos]

@mistery how it works for keepassxc. It be will work in keepassxc now? I want use my fingerprint device on my laptop now! I think it not work now.

[droidmonkey]

This is not currently an available feature in KeePassXC. I am going to make an attempt to integrate this along with Quick Unlock for 2.6.0.

[janjur]

@droidmonkey, this will be much appreciated :)

[Mardiie]

Just uninstalled KeePass to read this.
Must have feature.

[mgabi96]

This is the only missing feature for me. For a long time i want to switch from keepass to Keepassxc

[droidmonkey]

Ya'll gonna be waiting forever because it's not looking possible. Windows Hello is for UWP apps only.

[Gibletron]

Ya'll gonna be waiting forever because it's not looking possible. Windows Hello is for UWP apps only.

I am not a programmer in any way, but there is a keepass2 plugin that adds windows Hello support to keepass2..
As far as I know keepass2 is not a UWP
I'm not sure how they do it, bit it might just be possible.

Then again, it doesn't have any priority for me, since I have moved to bitwarden

[phoerious]

Keepass2 is C#.

[Mardiie]

Ya'll gonna be waiting forever because it's not looking possible. Windows Hello is for UWP apps only.

100% not true.
KeePass2, what this software is based on, has 2 plugins that support it, and that is not even near being a UWP app.
I'm pretty sure any piece of software can access a software library, in this case a dll file, to activate windows Hello.

Also I think it will be KeepassXC that will be waiting for those users forever.

Keepass2 is C#.

Written in, then compiled, just like any other (Windows) program.

[phoerious]

Written in, then compiled, just like any other (Windows) program.

Wrong. Not like ANY other. C# is still .NET and the UWP/WINRT APIs are .NET APIs and not available in C++ except for maybe with cppwinrt, which is still problematic without the VCpp toolchain. We can of course load DLLs, but we certainly don't want to GetProcAddress() the whole WINRT API.

[Mardiie]

Written in, then compiled, just like any other (Windows) program.

Wrong. Not like ANY other. C# is still .NET and the UWP/WINRT APIs are .NET APIs and not available in C++ except for maybe with cppwinrt, which is still problematic without the VCpp toolchain. We can of course load DLLs, but we certainly don't want to GetProcAddress() the whole WINRT API.

So whats your saying is it can't be coded?
I find that... unique.
sirAndros/KeePassWinHello#7 (comment)

It's fine by me either way.

[phoerious]

The library you linked is a C# library. 🙄

[mgabi96]

What about the microsoft biometrics framework wich is still used in LastPass (even if we cant see how) ?

[Mardiie]

The library you linked is a C# library. 🙄

Wow, reading a post is hard.
He is stating he will write a library for C++/C#.
Nice try to make it seem you aren't wrong though.

[phoerious]

Thank you for your insightful contribution. Come back when you have a C++ interface for us.