Advanced unlocking doesn't replace hardware key authentication

[kaoneko]

KeePassDX 3.5.0. Happy to see YubiKey support! I bought the Pro version as a thank you ❤️🙏🏻

While Advanced unlocking says in its settings menu that it Lets you scan your biometric to open the database or Lets you use your device credential to open the database, it doesn't replace authentication with a hardware token (challenge-response), whereas I expected it to work the same no matter what type of credential the database is protected with. Let me explain...

Use case 1, working: I have a database protected with a password as the sole credential. I can provide the password and then tap the fingerprint icon to setup Advanced unlocking. From then on I can unlock the database with my fingerprint.

Use case 2, not working: I have a database protected with a hardware key as the sole credential. I activate Hardware key and select Yubikey challenge-response from the drop down menu. I then tap the fingerprint icon and it says Type in the password, and then click this button (whereas the Password credential wasn't even enabled).

What I expected to happen: I tap the fingerprint icon, it asks to scan my fingerprint and then my hardware key, and from then on lets me unlock the database with my fingerprint and only asks for the hardware key after I make a change to the database. (Just as it would be inconvenient for me to type my password every time I use KeePassDX to fill in some credentials, it's inconvenient to retrieve my keyring and hold it to my phone everytime I use KeePassDX to fill in some credentials.)

I always thought Advanced unlocking just stored the decryption key of the database in the device's TPM, but maybe I misunderstood and it just stores the password. In that case, when my only credential is a hardware key with challenge-response, it should store the response (and do so everytime it changes as well). (And when I also use a password, it should store the combination of password + response I guess, while also providing the option to replace only one of the factors with Advanced unlocking.)

Additionally let me address the fact that people tend to consider a hardware token a second factor for additional security, while it can be perfectly fine to use it as the sole factor. Replacing a password with a hardware key has its own advantages. Please consider this perspective if your gut reaction is something along the lines of "you shouldn't even want to do what you describe here". Thank you.