‐x RESEARCH: Use of Local Biometrics for Authentication - glenw921/TripleCrypt GitHub Wiki

DEPRECATED: There is no way to create an inviolable gate with local biometrics validation because no reliable key value is returned from the authentication process. The biometric hash is generated, stored, and utilized, for authentication all internally to the OS - no browser API access.   Local Biometrics (e.g., Windows Hello, Face ID, Touch ID) Windows Hello (for Windows), Face ID (iOS), and Touch ID (iOS, macOS) are biometric authentication methods available on modern devices that can be used locally and offline. They authenticate the user against locally stored biometric data without requiring an internet connection.

Compatibility:

Windows Hello: Available for PWAs on Windows devices that support it. Face ID and Touch ID: Supported on Apple devices, but web access to these features is more limited. Feasibility for TripleCrypt:

Yes, TripleCrypt can use these methods. Modern browsers that support Web Authentication API (WebAuthn) allow the integration of local biometric authentication. This would be a strong option since it works entirely offline, as long as the device supports it. How It Works: The PWA can use the WebAuthn API to request biometric authentication, generating a secure cryptographic key based on the user's biometrics. This key can then be used as part of the 2FA process to decrypt or generate encryption keys for the data.

QUESTIONS: (1) What happens if the original TripleCrypt host device is lost/broken? How would a TripleCrypt user file be decrypted on a new host? Would the Local Biometrics created on the original host need to be backed up? If so, how can this be done without exposing TripleCrypt decryption keys? Would a person's biometrics produce the same authentication keys on a different device, or are there device specific anomalies that would result in each device producing unique keys from the same biometrics? (2) Should local biometrics be associated with the host device MAC address so that TripleCrypt can tell the user if/when local biometrics can be used to decrypt a file? (Example, user encrypts on Windows device "A" with Hello, then wants to decrypt on iOS device "B" with Face ID.)