Biometric Login

Biometric login flow details for PowerShell Module

How it works

Biometric login allows users to authenticate using a biometric credential (fingerprint, face scan, pin or other secure token) without entering a password. Keeper treats these credentials as cryptographic tokens tied to the user.

1. Credential Creation (Registration)

  • A biometric credential is generated locally on the user’s device.

    • This creates a public/private key pair.

    • The private key is stored securely on the device and never leaves the device.

  • The public key is sent to Keeper and registered with the user account.

  • Keeper now associates this public key with the user for future authentication.

2. Authentication (Login)

  • When logging in with biometrics, the device signs a cryptographic challenge using the private key.

  • This signed challenge (token/assertion) is sent to Keeper.

  • Keeper validates the signature using the previously registered public key.

  • If validation succeeds:

    • Keeper treats the token as proof of identity.

    • The user is granted access to the vault/session.

3. Key Principles

  • Zero-Knowledge Security – Keeper never receives biometric data or the private key; it only stores the public key.

  • Device-Bound Credentials – The credential is tied to the device that created it.

  • Password-less Login – Once registered, the credential can replace the master password or any default 2fa.

  • Fallback Methods – Users can still use passwords or other 2FA methods if biometric login fails.

Requirements

Power Commander supports Biometric login with Windows Hello only.

Prerequisites:

  1. Needs windows 11 or higher

  2. PowerCommander version 1.0.7

Supported Commands

This is list of commands supported

  1. Register Credential Command

  2. Show Credential Command

  3. Verify Credential Command

  4. Unregister biometric Command

Register Biometric Command

This command creates a new passkey with currently logged in user's email. this passkey will be used for authenticating user when they want to login once we register biometric login on a device.

To use this command, you have to be logged in on CLI.

Note:

  1. After executing this command, user has to register the device with Keeper to use biometric as default login method.

  2. Persistent login takes precedence over biometric login, so if the device has persistent login enabled, biometric credentials are not required during login.

Execution:

Register-KeeperBiometricCredential

Support: This Command supports Windows Hello only.

Flags:

PassThru : this flag will prevent printing of credential ID and such details from printing, when set to true this prints the details, else details are not printed.

Examples

With PassThru flag

PS>Register-KeeperBiometricCredential -PassThru
Biometric Credential Creation for Keeper
Please complete Windows Hello verification to create the credential...
Credential ID stored for user: <user>
Credential created successfully
Success! Biometric authentication "<user>" has been registered.
Please register your device using the "Set-KeeperDeviceSettings -Register" command to set biometric authentication as your default login method.

Name                           Value
----                           -----
Username                       <user>
Timestamp                      26-09-2025 08:01:08
DisplayName                    <user>
CredentialId                   ...W25xo-z_9QyWdti5CsQ
Success                        True

Without PassThru flag

PS>Register-KeeperBiometricCredential
Biometric Credential Creation for Keeper
Please complete Windows Hello verification to create the credential...
Credential ID stored for user: <user>
Credential created successfully
Success! Biometric authentication "<user>" has been registered.
Please register your device using the "Set-KeeperDeviceSettings -Register" command to set biometric authentication as your default login method.

Show Credential Command

This command shows all the credentials which have been registered to the given account, along with the authenticator type, credential ID, date created and last used date

To use this command, you have to be logged in on CLI

Execution:

Show-KeeperBiometricCredentials

Flags

IncludeDisabled - This will show the details of credentials which are used earlier but are no longer active along with active ones

Example

PS> Show-KeeperBiometricCredentials -IncludeDisabled

Registered Biometric Authentication Methods:
----------------------------------------------------------------------
Id: ....w6ZGlzYWJsZWQ=
Name: Platform Authenticator (DISABLED)
Created: 2025-09-25 10:22:17
Last Used: 2025-09-25 11:12:00
----------------------------------------------------------------------
Id: YlDRvVIYsC0.....
Name: Platform Authenticator
Created: 2025-09-25 12:17:10
Last Used: 2025-09-25 12:26:28
----------------------------------------------------------------------

Verify Credential Command

This command will be used to authenticate your session with credential stored. This same functionality will be used when we are trying to login using biometrics.

Execution:

Assert-KeeperBiometricCredential

Flags:

Purpose - This can be either login or reauth . This tells the server whether we are trying to check credential for logging in or to verify whether we are logged in.

PassThru - This will decide whether we are showing the command output related to credential ID etc . by default this is false, so we won't be seeing any such output details.

Sample Output

PS> Assert-KeeperBiometricCredential -Purpose vault -PassThru
Verification completed successfully!

Name                           Value
----                           -----
Username                       <username>
Message                        Windows Hello authentication with Keeper completed successfully
EncryptedLoginToken            {}
Purpose                        vault
CredentialId                   ....RRR2nPv78NMuM
Success                        True
IsValid                        True

Unregister Credential Command

This command will be used to deactivate biometric credential from Keeper, meaning the Keeper platform will stop accepting the given cryptographic credential for logging in the user

Execution:

Unregister-KeeperBiometricCredential -CredentialId <credentialId> -PassThru

Flags :

CredentialId - this is the credential ID of the credential to be deactivated. if nothing is given then all biometric passkeys will be disabled

PassThru - This is the filter for result, this is by default false, so no output related to technicalities is returned to user when executing this command, but if this flag is given, then user can see the details of credential deleted

Example output :

PS>Unregister-KeeperBiometricCredential -PassThru
Are you sure you want to permanently remove ALL biometric authentication for user '<username>'? (y/N): : y
Successfully unregistered passkey on server
Successfully unregistered credential for <username>@keepersecurity.com

Name                           Value
----                           -----
Username                       <username>
Message                        Biometric credentials unregistered successfully
CredentialId                   ......OfRGyfRRR2nPv78NMuM
Success                        True
PreviousPowerShell ModuleNextLogging in

Last updated

Was this helpful?