Photok
Photok copied to clipboard
leonlatsch
Use fingerprint reader on devices that support it
Will you consider this and can it be done? It is much easier than typing a complicated password.
Soooooo. Big topic.
Will you consider
This was considered from the beginning, thats the reason the app requies Android 7. I would love to implement this, but there are a few things to think about.
can it be done
Thats what could cause problems.
An explaination:
The only place your password is "saved", is a bcrypt hash in the app config. It is used to check if you entered the right password. Your password is also used for encryption. In short terms: The SHA-256 binary hash value is used as the encryption key. This way the password is not stored in the devices keystore. I did this for security reasons.
The problem:
Since you would not enter a password, the app would need to store the binary hash in some way, once you enable fingerprint.
So we need to really think this out and create a concept, to communicate this to the user.
Anyway
This is on my feature list, its just not that easy to implement. Ideas about a concept are welcome 🙂
on devices that have hardware backed key stores like the titan m chip that provide significantly higher assurance for security would this not be better place to store instead of with app config which sounds much less secure ?
The password is not really saved in the app config. This is just a bcrypt hash, used to check against the entered password.
The encryption key is generated from the password every time.
Anyway, the android keystore would be the place to store the encryption key, if fingerprint auth is enabled.
I think that one way to go could be:
- First, support for secondary databases #83 , distinguishing them from the main vault.
- Fingerprinting is only allowed on secondary databases, for less important data that can be accessed more conveniently, but less securely.
- This, plus a warning to the user ("do not repeat passwords!" warning too), should suggest that the most sensitive data should be placed in the main vault in a most intuitive way.
I don't know about this @VioletFalcon. You should be able to use fingerprint everywhere.
Its just a matter of communicating, what it means to use it. That the app needs to tell use user that his encryption key has to be saved, in order to use this feature. This goes the same for backup codes or so.
I have a possibly stupid (since I am not familiar with android developing) question:
Anyway, the android keystore would be the place to store the encryption key, if fingerprint auth is enabled.
Isn't this already enough, the encryption key is safe if itself is encrypted with android keystore, right?
I have a possibly stupid (since I am not familiar with android developing) question:
Anyway, the android keystore would be the place to store the encryption key, if fingerprint auth is enabled.
Isn't this already enough, the encryption key is safe if itself is encrypted with android keystore, right?
Yes, this is the most secure way to implement this feature.
Final Definition
- Implement fingerprint unlock
- Store the encryption key in the Android Keystore
- Communicate to the user, that the key is being stored. And where it is getting stored
Final Definition
- Implement fingerprint unlock
- Store the encryption key in the Android Keystore
- Communicate to the user, that the key is being stored. And where it is getting stored
Maybe use the Fingerprint hash tonencrypt the key.
Hi, Do you have any news about this feature? (It's missing a lot, especially since now most devices have a fingerprint reader).
Thank you very much
@Ilithy Currently, there is no active development on Photok.
But this feature is pretty high on the roadmap.
@Ilithy You can see the priorities for new features in this column of the project board: https://github.com/leonlatsch/Photok/projects/1#column-15814101