New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Protect App with a Password #27
Comments
Not sure I fully follow you here @MichiMunich. Do you mean, some kind of immediate request for authentication before even showing the list of Safes/Databases? |
Exactly. It should be a pre authentication, so that without entering a password or TouchID no access to the password databases is possible. |
Yes I agree here |
Ok, I never really considered this, but it should be straightforward to request Touch/Face ID authentication before even showing the list. Thanks for the details. |
Would be better if there was the option of a passcode/phrase to open the app then Touch ID for the safe, two factors are better than one. |
I second this idea. My favourite style would be that I can have the password safe open, but access to actually view it is granted only after one enters a custom PIN. |
Just to clarify you want there to be a passcode/touch ID for the app? Then subsequent authorization for the safes themselves? If so this kind of goes against the model of granting access using TouchID if you are allowing touch id or your passcode to unlock the safe (which also includes your phone PIN because it will failover if touch ID fails). That really isn't 2FA. its just making so you authorize multiple times. And since the app allows per safe options for unlocking using Touch ID this seems moot and overly complicated. I can understand wanting to limit access, but if your phone pin is compromised those extra layers don't do anything. IF touch id is enabled for the phone, the app, and a safe. someone would just failover touch id to the pin. Then enter the same pin 3 times. Maybe I am misunderstanding the objective here? |
Oh, I'm sorry, Personally I dislike touch and faceid, because people can be forced to touch their finger somewhere and look in a certain direction. My ideal solution is: Then when I start strongbox I have to open my password safe with the passwordkey. Now whenever I go back to strongbox, the safe is open (unless the auto-close time is up) but I still have to enter the appkey. I think its appropriate to make an option to replace the appkey with faceid or touchid but it's important for me that I can also choose to use an actual appkey for the reasons in the beginning of this post. |
Ok, i get it. I thought maybe thats what you meant. And I have seen other apps that allow for authorizing using your password for the account (or safe in this case), but then give you the option to add passcode/password you could use to unlock for a set time frame. ie until a timer runs out or phone is rebooted. This would be taking it one layer deeper to apply the functionality per safe as well. |
Oh, again my bad: |
I meant something akin to standard notes, whereby you Touch/face ID to enter the app, then set a code to enter the note, which expires after a user set amount of time. Seems silly to have a password safe which is as protected as is possible by keepass, to then have it opened by a simple couple of Touch ID inputs with could be forced. This way could be a mixture of security and convenience. |
Hi,
So it work more like alternative to Touch ID? So after correct Touch ID and Convenience PIN- DB opened BR |
Its cool that you integrate user requests so fast! |
Hi @CzarlsOnGit , let me see, I'll look into making it work as both OR and AND with pin codes and touch id... Shouldn't be a major problem. @eike-f I'll add it to the list... |
Cool, thanks! |
Sorry, I just realized that the password safe pins do exactly that. |
Hi, [edit] |
Hi @CzarlsOnGit, ok, so you would expect that if Touch ID is turned off in phone settings, that the app should then revert back to requesting master credentials, rather than allowing log through PIN alone? If so, that sounds like a fair request. I'll get it added into the next release. |
requesting master credentials to change Touch ID or PIN options will be the best IMO |
Oh I think I misunderstood you. I thought you meant if biometrics was disabled at the phone level AND the app uses BOTH Biometrics and PIN, then we should revert to master credentials (actually I still think this is a good idea, and will implement in next version.) Also, allowing Biometric AND/OR PIN is by design. Some people will want Biometric Only, some will want PIN only, and some will want both. I think this is good, and allows people choose their preferred convenience setup. But what I think you're saying is that we should ask for master credentials even after the safe has been opened? I'm not sure about that tbh. Once the safe is open, all bets are off, whoever has it has full access already to your safe at that point. There doesn't seem to me much value in re-asking for credentials? Maybe other people have strong opinions here? |
This idea i OK |
Yes, so if you turn off one of those methods then it won't ask you to use that method. This is by design. If you want to be sure that both are required, then yes, you need to enable both methods. You as the user control the convenience methods required. Not sure if that answers your question, perhaps I'm misunderstanding something? |
from user point of view, control login methods by setting is ok, |
Ok, think I understand, and will address in next release. If user configures BOTH convenience methods and one (somehow, by config etc) becomes unavailable, require master credentials to open. |
For what it's worth, I'm with @mmcguill on both points here:
|
@mmcguill Will the data be deleted after a few (configurable) failed attempts? |
Hi @dbluxo, this is something I could look at with the addition (or return) of the App Lock screen. It could be that if someone enters the wrong pin 3 times, we could remove (or delete) all databases. |
Just FYI, The App Lock is available now with 1.28.0. I'll close this off in a couple of days all going well. I'll create a new Github issue for deleting all databases on 3 incorrect attempts. |
Many thanks for implementing this. It was very much needed and now this is my goto app. |
Cool, thanks a lot! |
Thanks for all the input everyone... created #121 to track database deletion on incorrect unlock attempts. Closing this one off. Please open new issues if you have any further requests. |
A password protection (TouchID/FaceID) for the app would be great to protect the locally stored data or the configurations for the cloud data within Strongbox. With a configurable number of failed attempts to open the app, the local data or configurations will be deleted.
The text was updated successfully, but these errors were encountered: