Skip to content

[codex] Retry expired Windows Hello biometric tickets#158

Draft
SirAndrosBot wants to merge 1 commit into
masterfrom
codex/issue-113-decrypt-80098044
Draft

[codex] Retry expired Windows Hello biometric tickets#158
SirAndrosBot wants to merge 1 commit into
masterfrom
codex/issue-113-decrypt-80098044

Conversation

@SirAndrosBot

Copy link
Copy Markdown
Collaborator

What changed

  • Classified NCryptDecrypt status 0x80098044 as WINBIO_E_INVALID_TICKET, meaning the biometric ticket is incorrect or expired.
  • Added it to the existing transient Windows Hello retry policy. The provider now uses the existing retry UI context, three retries, and two-second delay to request a fresh ticket.
  • Added a dedicated presentable AuthProviderInvalidTicketException after retry exhaustion.
  • Preserved the cached database credential when this ticket error occurs.
  • On the normal desktop, the error is shown and KeePass's master-password prompt remains available.
  • When KeePass temporarily redirected an unlock from secure desktop, the temporary main-desktop prompt is cancelled after the error so the user's next attempt returns to secure desktop.
  • Added the new exception source to the legacy PLGX project.

Why

The repeated 0x80098044 reports are authentication-ticket failures, not evidence that the Windows Hello-protected key is corrupt. Several reporters can still decrypt the same cached key by selecting PIN after face recognition fails. Automatically revoking the key would therefore destroy valid credentials and, through the existing invalid-key path, could clear unrelated database entries and disable persistent storage.

Retrying is appropriate because the failing object is the short-lived biometric ticket. The retry obtains a fresh ticket and also gives the user another opportunity to choose PIN. If all retries fail, the plugin now degrades to the normal KeePass password flow without changing stored key material.

Security and state impact

  • No Windows Hello key is deleted or recreated.
  • No Credential Manager entry is removed.
  • No unrelated database cache is touched.
  • Persistent storage remains enabled.
  • Cancellation and all existing provider-status handling remain unchanged.
  • Existing handling for WINBIO_E_DATA_PROTECTION_FAILURE (0x80098046) remains unchanged.

This prompt-timing and credential-preservation behavior was explicitly approved before implementation.

Review

An independent review traced the exception through KeyCipher, ProtectedKey, and KeyManager; verified that the dedicated exception bypasses the generic cache-removal path; checked normal and secure-desktop prompt behavior; and confirmed the exact retry count and unchanged handling of other statuses.

The only review finding was unrelated final-newline churn in the legacy project file. That churn was removed, and follow-up review approved the final patch with no remaining findings.

Validation

  • Release/MONO rebuild of src/KeePassWinHello.csproj
  • FrameworkPathOverride=C:\Windows\Microsoft.NET\Framework\v4.0.30319
  • ReferencePath=C:\proj\KeePassWinHello\lib
  • 0 warnings, 0 errors
  • git diff --check

Manual Windows Hello testing was not performed, because it would require manipulating live biometric/Credential Manager state. Recommended manual coverage is transient and repeated face failures, face failure followed by PIN, local and persistent storage, secure desktop on/off, and elevated/non-elevated KeePass.

Closes #113
Closes #118
Closes #120
Closes #128
Closes #130
Closes #132
Closes #137
Closes #138
Closes #139

@sonarqubecloud

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment