Android-Password-Store icon indicating copy to clipboard operation
Android-Password-Store copied to clipboard

Published 20 hours ago verified publisher icon android-password-store

[BUG] Passphrase caching requires 2-5 biometric inputs to authenticate

Open 31j opened this issue 2 years ago • 5 comments
trafficstars

Describe the bug

When auto filling credentials on a website, password caching requires more than 1 biometric authentication. Normal passphrase mode only requires 1 input of the password for the gpg keys to decrypt the secrets.

Steps to reproduce

Steps to reproduce the behavior:

  1. Go to Settings -> PGP Settings
  2. Click on Enable Passphrase Caching
  3. Open web browser and navigate to a site requiring credentials
  4. Click on the pop-up
  5. Decryption requires 2-5 fingerprint presses / iris scans

Expected behavior

To decrypt secrets, it should only take 1 successful biometric input rather than several.

Screenshots

No response

Device information

  • Device: Samsung Galaxy Note 9
  • OS: Android Q (10)
  • App version: 2.0.0-SNAPSHOT

Additional context

  • Web Browser: Brave
  • The SSH Biometric authentication only requires 1 biometric input

31j avatar Sep 16 '23 16:09 31j

That shouldn't be happening 🤔

I know that on multi-page forms you will get prompted for each page you fill a field on, is that what you're talking about?

The reason for the app requesting authentication each time is that while the platform considers a successful biometric auth as valid for a fixed period of time, it doesn't tell the app if it has a valid authentication window active so we can't assume that it is. That's why the app will authenticate you each time it unlocks the passphrase cache to decrypt the entry.

msfjarvis avatar Sep 16 '23 18:09 msfjarvis

I know that on multi-page forms you will get prompted for each page you fill a field on, is that what you're talking about?

This isn't what I'm referring to, I'm referring to filling in a singular field. I've attached a video showing the issue on github where it requires two fingerprint presses

The "no match" that happened once or twice is likely because I have a papercut on my finger, but this issue still happened even when that wasn't the case so just ignore that :p

https://github.com/android-password-store/Android-Password-Store/assets/32624322/b12d533a-3304-44b3-a5fb-f364d91bf08c

31j avatar Sep 16 '23 18:09 31j

I genuinely can not find a bug in this recording. I'll recount what I'm seeing here, and you can tell me what part I got wrong.

  1. You went to GitHub.com and initiated an Autofill request
  2. You failed to use your fingerprint a few times
  3. Fingerprint auth finally succeeded, and your username and password got filled in
  4. You selected the contents of the password field and cleared them
  5. Another autofill request was initiated
  6. You failed fingerprint authentication a few more times
  7. Fingerprint auth succeeded again, Password Store filled in your password again
  8. Video ends.

msfjarvis avatar Sep 16 '23 18:09 msfjarvis

Every time the prompt comes up again is a new request after successful verification

The iris scanning one is probably a better example since it doesn't fail. Or is it meant to happen multiple times?

https://github.com/android-password-store/Android-Password-Store/assets/32624322/0d732704-65f3-40f1-b4a2-dbef58afb988

31j avatar Sep 16 '23 19:09 31j

That demonstrates it better, thanks. It's not supposed to be triggered multiple times and doesn't do so on my devices, but it might be an Iris + Fingerprint quirk that needs specialised handling.

msfjarvis avatar Sep 16 '23 19:09 msfjarvis