Improve support for Macbook Pro TouchID #2865
Comments
|
I took a while to understand that I have to both tickbox the touchID option AND click on OK without typing any password. I don't get if this enhancement issue is taking this into account, to me the procedure should be clearer, eg, just start polling the TouchID sensor and unlock when it sends back a positive fingerprint recognition. Alternatively, place a button like "Unlock with TouchID now". |
|
Yes exactly, I totally agree with you! I suggested to get rid of the checkbox (just one global setting for disabling TouchID altogether in the settings menu). Also adding a button / clickable biometric icon for unlocking with TouchID manually. Unfortunately, it is not possible (to my knowledge) on macOS to poll the fingerprint sensor in the background - it has to be triggered, which then brings this system popup to the foreground. Therefore, I made the suggestion to automatically do this when the application is being brought to the foreground (btw. that is also how 1pw does it). |
|
This does not work for me on 2.4.0 and MacOS 10.14.4. How is that checkbox supposed to work? |
|
@hhrutter This is just the thread for the upcoming improvements - non of these are implemented yet (I am currently working on it, though). As for your problem, you have to have both |
|
When are you supposed to get an Ok. I am in. This feature is only for unlocking after the db locks due to timeout or manual lock? KeepassXC rocks but this is frustrating I have to admit. |
|
@hhrutter sorry for all the ux issues with this. Unfortunately the lead devs do not have a mac with touchid hardware so we could not fully test this feature. Luckily mxk6n is planning to upgrade it. |
|
This thread helped me understand how to use it. its a shame i cant use touch id until after an initial master password entry. but its still handy though. thanks for all the hard work. Love your guys password manager app! |
|
Sorry for the confusion about this... I will definitely add some explanations / dialogs to guide through the process of activating and using TouchID together with the improvements mentioned above. In order to activate TouchID we will always need the initial entry of the master password. However, right now this is true for every restart of the application (as the encrypted secret is kept in memory which is cleared when closing Keepass). You raise a good point, I will try to facilitate the Secure Enclave to perform the decryption of a persistent encrypted secret which will then survive the restart of the application :) I added it as a bullet in my initial comment. |
|
In 2.4.1 and I still cannot see the There's something I could be missing? |
|
Just press |
|
Hooray!!! Managed to unlock via TouchId for the very first time.
I would suggest having a Unlock via TouchId or Let me in button. Having to
say OK is not intuitive in this situation.
…On Mon, Apr 15, 2019, 11:53 Max ***@***.***> wrote:
Just press ok, that's what i meant with unlock ;)
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#2865 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AKzDK87oqolQ41fkoijJApzx3M64fC74ks5vhEwKgaJpZM4cFsDT>
.
|
|
Hi! This is not a rant. Just a honest feeling about this feature. |
|
Hi, I see a lot of negativity and I just want to say that I love this feature. It is so nice to have this 'quick unlock' like feature available that is still secure (at least secure enough). Thanks for implementing it! Although understanding exactly how it works at first was a bit difficult (so work can still be done), I think its awesome. |
Yes. @mxk6n What is the progress on improving the UI at login? I like the idea of a single button to trigger Touch ID authentication. I didn't know that I had to click |
|
I'm okay with having to click a button to trigger TouchID. Especially if that button has a keyboard shortcut! |
|
I'm having trouble getting the touch id to work for this. Here's the workflow
Expected: TouchID prompt of some kind Observed: "Unlocking the database failed and you did not enter a password" What am I missing? |
|
@Agentscreech Can you confirm your KeepassXC and OS versions? I'll try to reproduce. |
|
Thanks for the reply. KeePassXC v2.5.1 on macOS 10.14.6 |
|
@Agentscreech I am on macOS 10.15.1 (Catalina) and the same version of KeePassXC. Following your steps above does result in successful authentication via TouchID. So, I'm unable to reproduce your issue. However, I don't recommend you update to Catalina to support this feature. There is likely (read: hopefully) another cause for the discrepancy. |
|
Thanks. Is there something I can reference about where I should be looking for more troubleshooting? I feel like I followed the build instructions correctly. FYI, touchID wasn't setup (new computer) when I built it. |
|
Did you build from source or install from disk image? In the case of the former, I'd recommend trying to install from the provided disk image. |
|
Touch ID unlock also not working on my 16" MBP (Catalina 10.15.3). Maybe its a pattern, 16" MBP? My config: |
@ tbleich I suspect the issue getting you is the screen lock setting. Unlock, and in settings you can disable that functionality if desired. With both disabled, the only time you should need to use password is if you close the application. Oh, that's the other thing. TouchID only stays active if you DO NOT close KeePassXC. If you quit, you will need password again. |
KeePassXC >> Preferences... >> Security >> (uncheck) Forget TouchID when session is locked or lid is closed Thanks for pointing this out! I have now unchecked the above setting and the touch ID works for unlocking for me! I locked the database (clicked the Lock icon in the toolbar), then clicked the OK button on the Unlock KeePassXC Database screen and I was prompted for my TouchID. As my entry above suggests: a bit of updating of documentation could go a long way here. I'll submit a push request shortly. |
|
I concur. It's a little confusing how it works and why it isn't working when you think it should. It's a UI and/or documentation disconnect with the user's perception of its functionality. |
|
@RayfenWindspear Unfortunately a colleague spilled a bottle of water over my laptop, the repair takes about three weeks and until then I am on a TouchID-less Macbook... |
|
I hope they at least bought you lunch! |
|
@gregfenton @RayfenWindspear Thanks for the hint, I had the box checked. Unchecked it, works like a charm now! KeePassXC >> Preferences... >> Security >> (uncheck) Forget TouchID when session is locked or lid is closed Yes, I got lunch :) In case you are wondering, the price for a new 16" MBP display is around 600€ net, excluding labor ... |
|
Hello, Since I updated my os to mac os 10.15.4, my keepass version didn't launch, so I had to re-install it. To resume what happened, here is every step
And the problem appears here, the "unlock with touch ID" is uncheck at this point whereas I uncheck the box "forget touch ID when session is lock" in the preferences -> security option. Despite this, I try to unlock with touch ID, so I checked the box first, then I pressed enter and this window appeared. If you have any ideas about this problem, let me know. |
|
We know. This was the trade-off required to get an emergency patch out there to keep the application running. |
|
Ok thank, I thought I did something wrong. I will wait for a patch. Thanks |
|
As a long time user, just throwing in my $0.02... I am also in favor of simplifying this feature. If I've enabled TouchId, here's what I would like the flow to look like:
That's it. I'd like to just be able to use my FP at all times on my personal PC. For the average user it makes no sense to complicate things further. |
|
Using TouchID effectively lowers the security of your database. It is still secure against theft from your cloud storage, but you trade a complex master password for your arguably complex, but easily obtainable yet unchangeable finger print. I am not against convenience features and for certain passwords a fingerprint may be enough, but I wouldn't want to secure my PayPal or bank accounts with it. As an expert user, you may be able to assess the risks, but if we are talking about the average user, then providing them with this kind of convenience is exactly the wrong approach and the details why that is are rather hard to convey. You have to treat biometrics as usernames, not as passwords. |
|
@phoerious You're correct, but in KeePassXS, like most fingerprint accessible devices, you still need the original password initially to allow the fingerprinting to work at all, and you can configure timeouts for this. Simplifying the interface isn't going to change anything about the security of the program, which is what this thread is discussing. We don't want to change how the existing process works, just how it's presented to the user. And if a user is concerned enough about security to start using an open-source package manager over something like Dashlane, they're probably capable of making their own decision of what features they want enabled. |
|
The way it works is that we take your master password and store it in your keychain encrypted by your biometrics. We delete it again once you close KeePassXC or when you lock your computer. If we allowed for TouchID to stay active indefinitely, your master password would stay there indefinitely as well, only protected by your fingerprint. |
|
@phoerious (please don't interpret as aggressive) What is your request/claim? I understand your concern. Do you want to remove biometrics/fingerprint scanning from KeePassXC? Keep the UI equally obfuscated? I want to ensure this thread is on topic. |
|
TouchID is a quick-unlock feature, not a replacement for your master password. That is how most KeePass-compatible apps handle it and that is how it will stay for now. There is nothing "obfuscated", that is just how the mechanism works. |
|
Agreed, please don't view my last message as an attack, I was also a bit confused what exactly you were trying to convey. I agree that "never typing a password again" is not secure enough. But most people are okay with the way their phones work (password on occasion and after restarts). Isn't that authentication flow what we're essentially going for here if fingerprints are enabled? If so, we've discussed just adding making another button appear for fingerprint authentication if it's available. Conversely, we could also just make users press a button to "unlock" the DB without having the user enter a password first. When the user clicks the button and if they can use their fingerprint it should prompt them to do so, otherwise we prompt for the password. This is obviously harder than just adding a button, but I think it would simplify a lot about the interface. |
That's how this here works as well. Password on occasion (e.g. after screen lock) and after restarts.
How it looks in the UI is debatable and may be addressed by one of our future redesign PRs. I cannot really test any of that, since I don't own a TouchID-compatible device. |
|
@phoerious Your concerns have been considered. There seems to be interest in improving the UI to facilitate the use of this feature and minimize confusion. I see no problem with this. We're all in agreement. |
|
Is this being actively worked on? I just switch from LastPass to KeePassXC, from a new user's perspective, it took me a long way (~1 day ) until I figure out how to trigger TouchID. I understand using TouchID as replacement for password might be difficult, but we can make things easier for new users:
|
|
Another thing that is commonly done is to confirm the enablement of Touch ID by touching the sensor. Rather than a checkbox, a button could be used to trigger the confirmation dialogue. |
|
Nah, confirmation dialogue with touchid should be opened by default when touchid id available. That's how it's done in other password managers. We don't want having to click on some button every time we want to open database first and only then we can use fingerprint. |
I meant that the button would be used in place of the checkbox. Clicking a button before doing Touch ID every time I open a database would be a pain, I agree. |
|
These improvements are very much needed. I've been using KeePassXC for 3 years now, and today was the first time I used TouchID to unlock my database: Click "OK" first while |
|
Agree, don’t press a button when you need to use Touch ID to unlock, it’s too much trouble. Strongbox is designed like this, no need to press a button first, thank you |
|
I don't like complaining without contributing. I agree it was hard to understand how it works (first unlock to get password in to memory for future touchid unlocks and press ok without password with touch id checkbox checked). thank you and keep up the good work. |
|
Closed in 2.7.0 |
and others
To further improve the utilization of TouchID on Macbook Pro and make the unlock feature more intuitive to use (see comments in #2720 for pull request #1851), I would like to implement the following changes:
Further additions (edited):
How do you guys feel about this?
The text was updated successfully, but these errors were encountered: