Skip to content

[codex] Document Windows Hello method selection limit#145

Draft
SirAndrosBot wants to merge 1 commit into
masterfrom
codex/issue-13-preferred-device
Draft

[codex] Document Windows Hello method selection limit#145
SirAndrosBot wants to merge 1 commit into
masterfrom
codex/issue-13-preferred-device

Conversation

@SirAndrosBot

Copy link
Copy Markdown
Collaborator

Summary

  • Document that KeePassWinHello cannot select or remember a preferred Windows Hello method or device.
  • Clarify that the plugin asks Windows Hello to authorize a cryptographic key operation, while Windows controls available methods and the method shown by the dialog.

Why

Issue #13 asks the plugin to remember a preferred Face/IR, fingerprint, or PIN method. The current CNG/Microsoft Passport integration exposes prompt context and key-operation authorization, but not a supported modality/device selector. Adding a fake option would misrepresent plugin control and risk changing security-sensitive prompt behavior without a real implementation path.

Refs #13.

Validation

  • Worker sub-agent investigated the CNG/Windows Hello path and found no supported modality/device selection property in the repo integration surface.
  • Reviewer sub-agent found no actionable issues and recommended a docs-only PR using Refs rather than Fixes.
  • git diff --check

Build was not run because this is a README-only documentation change.

@sonarqubecloud

Copy link
Copy Markdown

@SirAndrosBot

Copy link
Copy Markdown
Collaborator Author

Additional low-level API check for the Windows Hello method/device-selection limitation:

  • The plugin's actual unlock path is CNG/NGC: Microsoft Passport Key Storage Provider plus NCryptDecrypt, with NCRYPT_WINDOW_HANDLE_PROPERTY, NCRYPT_USE_CONTEXT_PROPERTY, NgcCacheType, and PinCacheIsGestureRequired as the relevant prompt/key-operation controls. I did not find a supported CNG/NCrypt property that selects or persists a Windows Hello modality/device such as face, fingerprint, or PIN.
  • NCRYPT_UI_POLICY_PROPERTY can control strong-key UI policy text/flags, but it does not expose a face/fingerprint/PIN or device selector.
  • The lower-level Windows Biometric Framework APIs (WinBioEnumBiometricUnits, WinBioVerify, WinBioIdentify) can enumerate/verify fingerprint devices/subfactors, but they are a separate fingerprint-biometric API. They do not authorize the NGC private-key decrypt operation used by this plugin, and they do not cover Windows Hello face/PIN.
  • Therefore, even with lower-level Win32/WinBio calls, the plugin cannot make Windows Hello choose IR face vs a specific fingerprint reader vs PIN for the CNG key-unseal dialog. Implementing a custom WinBio flow would not be equivalent to the current Windows Hello-backed key operation and would materially change the security model.

So the docs-only conclusion still looks correct: Windows owns the available methods and the method shown by the Windows Hello dialog.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants