Biometric Unlock

Biometric unlock lets you use your device’s biometric hardware to unlock Claspt instead of typing your master password each time. Your master key is stored in the operating system’s secure enclave, protected by your biometric.

Supported Platforms

Platform	Biometric	Secure Storage
macOS	Touch ID	Keychain (Secure Enclave)
Windows	Windows Hello (fingerprint, face, PIN)	Credential Manager
Linux	Fingerprint (where supported via polkit)	Secret Service API

Note

Biometric unlock requires hardware support. If your device doesn’t have a fingerprint sensor or compatible camera, the option won’t appear in Settings.

Enabling Biometric Unlock

1. Open Settings > Security > Biometric Unlock.
2. Click Enroll.
3. Authenticate with your master password to confirm identity.
4. Complete the biometric prompt (Touch ID, Windows Hello, etc.).
5. Done. The next time you open Claspt, you’ll see the biometric prompt instead of the password field.

During enrollment, Claspt encrypts your master key and stores it in the OS secure storage. The key is only released when you pass the biometric check.

Unlock Flow

When you launch Claspt with biometric enabled:

1. A biometric prompt appears (e.g., “Touch ID to unlock Claspt”).
2. Authenticate with your fingerprint or face.
3. The vault unlocks immediately.

If biometric authentication fails 3 times, Claspt falls back to the standard password prompt. This prevents lockout if the sensor is wet, dirty, or unresponsive.

Tip

You can always skip the biometric prompt and type your password instead. Click Use Password below the biometric dialog.

Disabling Biometric Unlock

1. Open Settings > Security > Biometric Unlock.
2. Click Disable.
3. Confirm with your master password.

The stored key is removed from the OS secure enclave. You’ll need to use your master password to unlock from now on.

How It Works Under the Hood

Claspt does not store your master key itself. The OS handles secure storage:

• macOS: The master key is stored in the Keychain, bound to the Secure Enclave. Only a successful Touch ID authentication can retrieve it. The entry is tagged with Claspt’s app identifier and is inaccessible to other apps.
• Windows: The master key is stored via Windows Credential Manager, protected by Windows Hello. TPM-backed hardware keys are used when available.
• Linux: The master key is stored via the Secret Service API (GNOME Keyring or KWallet), gated by the fingerprint PAM module.

Important Security Notes

Caution

If you reset your OS biometrics (e.g., remove and re-add fingerprints in System Settings), the secure enclave entry is invalidated. You’ll need to unlock with your master password and re-enroll biometric unlock.

• Auto-lock still applies. Even with biometric enabled, the vault locks after the configured inactivity timeout. You’ll need to re-authenticate (biometric or password) to continue.
• Per-device enrollment. Biometric unlock is configured separately on each device. Enrolling on your MacBook doesn’t affect your Windows machine.
• No network dependency. Biometric unlock works entirely offline. The OS secure storage is local to the device.
• Master password remains required for sensitive operations like changing your password, exporting the vault, or re-enrolling biometrics.