Enhancement suggestion: When in "Enable Fingerprint Unlock for QuickUnlock" mode require full password after an excessive number of failed fingerprint scans.

[trackroute]

Hi,

Firstly - thanks for the great app!

I've been thinking about fingerprint authentication today and have concluded that perhaps fingerprints aren't a particularly secure form of authentication (because we only have one set of fingerprints and anyone can probably get hold of them with a little bit of effort and patience). Also some fingerprint scanners may be rather trivial to fool (e.g. http://www.telegraph.co.uk/technology/2017/04/11/smartphone-fingerprint-scanners-could-easily-fooled-fake-prints/ ). However fingerprint unlock is obviously very convenient and I want to use it where possible, but still be as secure as possible.

Hence my enhancement suggestion: In "Enable Fingerprint Unlock for QuickUnlock" mode, what I would like keepass2android to do is to revert to requiring the full password if the fingerprint is rejected several times when trying to quickunlock. Perhaps this can be a configurable option, e.g. a checkbox to enable this behavior and maybe even a configurable number of fingerprint unlock attempts permitted before requiring the full password (maybe a default of 3 or whatever is thought appropriate).

I'm asking for this enhancement because at the moment Keepass2android seems to allow an unlimited number of fingerprint entry attempts in the quickunlock mode without reverting to requiring the full password. Meaning it would be possible for a malicious actor to repeatedly try unlock the database using different fingerprint spoofing tactics. (Obviously this may take them a long time because of the delays after failed attempts, but it seems to be quite an easy attack vector if they have a copy of a persons fingerprints and just need to trick the sensor into accepting them using some means).

Thoughts?

[vertigo220]

The only thing I would add to this is the option to disable fingerprint unlock vs requiring the full password. In other words, I would set it to allow 2 or 3 fingerprint attempts, after which it would no longer allow the fingerprint to unlock it but it would still give me my one shot with the QuickUnlock (typing in the characters). This would prevent me from having it simply not read my fingerprint correctly, which sometimes happens, especially if my fingers are damp, thereby causing me to have to type in my entire, very long, password after accidentally trying the fingerprint unlock too many times.