To add a new layer of security and comply with WebAuthn specifications, KeePassDX has added User Verification (UV) since version 4.3.0.

User Verification is a behavior that allows KeePassDX to verify that you are the user requesting a sensitive action at the time of that action.

The UV was added to comply with the new Web Authentication methods to perform an authentication ceremony, which allow users to connect to third-party services without having to directly view their credentials. It also prevents careless mistakes if your device falls into the wrong hands for a short period of time.

User Verification mode

You may not want to use these verification because simply want to reorganize your database or visually show your passwords so you can access them frequently.

In this case, simply open your database with User Verification mode disabled by clicking on the verified user icon on the opening page of your database. (Available since version 4.3.1)

User Verification mode is defined when a database is opened and cannot be changed until that database is closed.

Please note that the methods for connecting to third-party services with autofill and magikeyboard have been greatly improved, and it is much less necessary to view or copy a password in order to use it. If your database remains open with UV mode disabled and the connection to a third-party service requires UV, you will not be able to connect.

It is possible to change the default value of the UV mode with Settings - App settings - User verification mode

Protected Field

To protect an input field from quick viewing, the UV is added to each sensitive field, including password fields, credit card fields, OTP fields, and customized fields tagged as protected. A UV is also performed when a user requests an existing Passkey entry edition.

Settings

The UV is also added to the database settings, which prevents other users from opportunistically changing the encryption or master password.

User Verification dialogs

User Verification can appear in two different ways on your device to allow you to use your database in all cases.

Database password prefix

If no screen lock is set on your device, you can use the prefix of your database password to perform User Verification. Simply enter the first 4 digits of your password.

This eliminates the need to retype a very long password or use a complex workflow with a hardware key or key file.

Device Credential

If you have set up a screen lock on your device, then the method used to unlock your device will also be used for User Verification.

For example, if you used a Pattern, then the UV will be done with the Pattern.

It is possible to disable the use of device credentials in order to use exclusively the database password prefix with Settings - App Settings - User Verification Credential

Credential Unlocking difference

The Device Credential used with User Verification should not be confused with Device Unlocking, which allows you to unlock your database.

Even though the two dialogs may look similar, they perform two very different technical actions.

• Device Unlocking uses your device's Keystore to link your master password to decrypt your database.
• Device Credential in User Verification does not perform any encryption.

Note: Device Credential may work while Device Unlock may not, depending on the technical implementations of your device's OS.

Login ceremony

Passkey

User Verification secures webAuthn login ceremonies to external services and protects quick access to sensitive data. The implementation was carried out in accordance with the official documentation and allows each requirement to be managed.

The user is verified if the database is closed at the start of the ceremony because it is explicitly performed during authentication.

A Passkey ceremony will always open a closed database in User Verification mode enabled.

When the database is open at the start of the ceremony and UV mode is enabled:

• If the Relying Party (RP) request is discouraged, no User Verification (UV) is performed and authentication is carried out.
• If the RP request is preferred, KeePassDX will perform an UV depending on Form filling - Passkeys settings - Preferred User Verification setting that allows the user to force UV for preferred, KeePassDX returns the false or true flag accordingly. If flag is false, the server may request additional verification such as 2FA and slow down the user's authentication. The setting is therefore useful in this case.
• If the RP request is required, UV is mandatory and therefore always required during the ceremony.

If a database is already open and User Verification mode is disabled:

• If the Relying Party (RP) request is discouraged, no User Verification (UV) is performed and authentication is carried out.
• If the RP request is preferred, KeePassDX will perform an UV or an error indicating that the database is not open in User Verification mode depending on Form filling - Passkeys settings - Preferred User Verification setting.
• If the RP request is required, an error indicating that the database is not open in User Verification mode appears. You must then close the database and restart the authentication process with User Verification mode enabled.

Clipboard

The clipboard copy is a dangerous feature if it contains sensitive data such as passwords or protected fields. To ensure that it is indeed the user who is copying this sensitive data, a User Verification check is performed before placing the data in the clipboard shared with other applications on the device.

Note that if a protected field is displayed after a UV, the copy can be performed directly.

In all cases, it is recommended to use Magikeyboard and Autofill(https://github.com/Kunzisoft/KeePassDX/wiki/AutoFill), which are more secure.

Limitation

User Verification only allows the application to verify you for quick access to data, but it does not prevent the deletion of that data. Technically, your database is still open and the data is in memory, so it is imperative that you lock your database after you have finished your tasks to encrypt your data.

Quick unlocking of other applications works technically in the same way, where the database is already open and the data is already decrypted in RAM. The only difference is that KeePassDX does this for each specific action, and there is no confusion about whether a database is already decrypted.

Although this feature is subject to debate and creates a duality between user experience and standards, a discussion thread has been opened on the subject. https://github.com/Kunzisoft/KeePassDX/issues/2283