# Biometric login Commands ### How it works Biometric login allows users to authenticate using a **biometric credential** (fingerprint, face scan, or other secure token) without entering a password. Keeper treats these credentials as cryptographic tokens tied to the user. Biometric (Windows Hello) must be configured in your windows device. For more detail you can refer Windows Hello configuration guide [here](https://support.microsoft.com/en-us/windows/configure-windows-hello-dae28983-8242-bb2a-d3d1-87c9d265a5f0). #### 1. Credential Creation (Registration) * A **biometric credential** is generated locally on the user’s device. * This creates a **public/private key pair**. * The private key is stored securely on the device and **never leaves the device**. * The **public key** is sent to Keeper and registered with the user account. * Keeper now associates this public key with the user for future authentication. #### 2. Authentication (Login) * When logging in with biometrics, the device signs a **cryptographic challenge** using the private key. * This signed challenge (token/assertion) is sent to Keeper. * Keeper validates the signature using the previously registered public key. * If validation succeeds: * Keeper treats the token as proof of identity. * The user is granted access to the vault/session. #### 3. Key Principles * **Zero-Knowledge Security** – Keeper never receives biometric data or the private key; it only stores the public key. * **Device-Bound Credentials** – The credential is tied to the device that created it. * **Password-less Login** – Once registered, the credential can replace the master password or act as a second factor. * **Fallback Methods** – Users can still use passwords or other 2FA methods if biometric login fails. ### Requirements {% tabs %} {% tab title="PowerCommander" %} Power Commander supports Biometric login with windows hello only. **Prerequisites:** 1. Needs windows 11 or higher 2. PowerCommander version 1.0.7 {% endtab %} {% tab title="Python CLI" %} Python CLI supports biometric login with both windows hello and MacOS\ Python 3.10 or higher is required {% endtab %} {% tab title="DotNet CLI" %} This set of commands are only supported for dotnet 472 on windows. {% endtab %} {% endtabs %} #### Supported Commands This is list of commands supported 1. [Register Credential Command](#register-biometric-command) 2. [Show Credential Command](#show-credential-command) 3. [Verify Credential Command](#verify-credential-command) 4. [Unregister biometric Command](#unregister-credential-command) 5. [Change Name Command](#change-name-command) ### Register Biometric Command This command creates a new passkey with currently logged in user's email. This passkey will be used for authenticating user when they want to login once we set biometric login as default login method. To use this command you have to be logged in on CLI. **Note:** 1. After executing this command, user has to register the device with Keeper to use biometric as default login method. 2. Persistent login takes precedence over biometric login, so if the device has persistent login enabled, biometric credentials are not verified during login {% tabs %} {% tab title="PowerCommander" %} ```powershell Register-KeeperBiometricCredential ``` **Support:** This Command supports windows hello only. **Flags**: `PassThru` **:** this flag will prevent printing of credential ID and such details from printing, when set to `true` this prints the details, else details are not printed**.** **Examples** *With PassThru flag* ```powershell PS> Register-KeeperBiometricCredential -PassThru Biometric Credential Creation for Keeper Please complete Windows Hello verification to create the credential... Credential ID stored for user: Credential created successfully Success! Biometric authentication "" has been registered. Please register your device using the "Set-KeeperDeviceSettings -Register" command to set biometric authentication as your default login method. Name Value ---- ----- Username Timestamp 26-09-2025 08:01:08 DisplayName CredentialId ...W25xo-z_9QyWdti5CsQ Success True ``` *Without PassThru flag* ```powershell PS>Register-KeeperBiometricCredential Biometric Credential Creation for Keeper Please complete Windows Hello verification to create the credential... Credential ID stored for user: Credential created successfully Success! Biometric authentication "" has been registered. Please register your device using the "Set-KeeperDeviceSettings -Register" command to set biometric authentication as your default login method. ``` {% endtab %} {% tab title="Python CLI" %} ```shell My Vault> biometric register ``` **Support**: This command supports both windows and MacOS {% endtab %} {% tab title="DotNet CLI" %} ```bash biometric register ``` This command creates a new passkey with currently logged in user's email. this passkey will be used for authenticating user when they want to login once we register biometric login on a device. To use this command, you have to be logged in on CLI. **Note:** 1. After executing this command, user has to register the device with Keeper to use biometric as default login method. 2. Persistent login takes precedence over biometric login, so if the device has persistent login enabled, biometric credentials are not required during login. 3. Only supported on windows and for build with net472 framework. {% endtab %} {% endtabs %} ### Show Credential Command This command shows all the credentials which have been registered to the given account, along with the authenticator type, credential ID, date created and last used date To use this command you have to be logged in on CLI {% tabs %} {% tab title="PowerCommander" %} ```powershell Show-KeeperBiometricCredentials ``` **Flags** `IncludeDisabled` *-* This will show the details of credentials which are used earlier but are no longer active along with active ones **Example** ```powershell PS> Show-KeeperBiometricCredentials -IncludeDisabled Registered Biometric Authentication Methods: ---------------------------------------------------------------------- Id: ....w6ZGlzYWJsZWQ= Name: Platform Authenticator (DISABLED) Created: 2025-09-25 10:22:17 Last Used: 2025-09-25 11:12:00 ---------------------------------------------------------------------- Id: YlDRvVIYsC0..... Name: Platform Authenticator Created: 2025-09-25 12:17:10 Last Used: 2025-09-25 12:26:28 ---------------------------------------------------------------------- ``` {% endtab %} {% tab title="Python CLI" %} ```sh My Vault> biometric list ``` **Sample Output:** ```shell Registered Biometric Authentication Methods: ---------------------------------------------------------------------- Name: Commander CLI (MacBook) Created: December 20, 2023 Last Used: Today ---------------------------------------------------------------------- Name: iCloud Keychain Created: December 18, 2023 Last Used: July 10, 2025 ---------------------------------------------------------------------- Name: Chrome on Mac Created: November 15, 2023 Last Used: Never ---------------------------------------------------------------------- ``` {% endtab %} {% tab title="DotNet CLI" %} This command shows all the credentials which have been registered to the given account, along with the authenticator type, credential ID, date created and last used date To use this command, you have to be logged in on CLI **Example:** ``` My Vault> biometric list Listing Windows Hello biometric credentials... # Friendly Name Provider Created Last Used Status --- ------------- ---------------------- ---------------- ---------------- ------ 1 Windows Hello Windows Hello 2025-10-10 19:41 2025-10-10 19:42 Active 2 Windows Hello Windows Hello 2025-10-29 12:59 2025-10-29 14:14 Active Rem ``` {% endtab %} {% endtabs %} ### Verify Credential Command This command will be used to authenticate your session with credential stored. This same functionality will be used when we are trying to login using biometrics {% tabs %} {% tab title="PowerCommander" %} ```powershell Assert-KeeperBiometricCredential ``` **Flags**: `Purpose` - This can be either `login` or `reauth` . This tells the server whether we are trying to check credential for logging in or to verify whether we are logged in. `PassThru` **-** This will decide whether we are showing the command output related to credential ID etc . by default this is false, so we wont be seeing any such output details **Sample Output** ```powershell PS> Assert-KeeperBiometricCredential -Purpose vault -PassThru Verification completed successfully! Name Value ---- ----- Username Message Windows Hello authentication with Keeper completed successfully EncryptedLoginToken {} Purpose vault CredentialId ....RRR2nPv78NMuM Success True IsValid True ``` {% endtab %} {% tab title="Python CLI" %} ```sh My Vault> biometric verify ``` **Flags:** **--purpose** - this can be `vault` or `reauth`. This flag will set the purpose to vault/reauth. this is optional flag **Example output:** ``` Please complete biometric authentication... Biometric Authentication Verification Results: ================================================== Status: SUCCESSFUL Purpose: LOGIN Login Token: Received Your biometric authentication is working correctly! ================================================== ``` {% endtab %} {% tab title="DotNet CLI" %} This command will be used to authenticate your session with credential stored. This same functionality will be used when we are trying to login using biometrics. **Example:** ```bash My Vault> biometric verify Verifying Windows Hello authentication for '' (purpose: vault)... Windows Hello verification successful. My Vault> biometric verify --purpose=login Verifying Windows Hello authentication for '' (purpose: login)... Windows Hello verification successful. ``` {% endtab %} {% endtabs %} ### Unregister Credential Command This command will be used to deactivate credential from keeper, meaning the keeper platform will stop accepting the given cryptographic credential as tied to user {% tabs %} {% tab title="PowerCommander" %} ```powershell Unregister-KeeperBiometricCredential -CredentialId -PassThru ``` **Flags :** `CredentialId` - this is the credential ID of the credential to be deactivated. if nothing is given then all `PassThru` - This is the filter for result, this is by default false, so no output related to technicalities is returned to user when executing this command, but if this flag is given, then user can see the details of credential deleted **Example output :** ```powershell PS>Unregister-KeeperBiometricCredential -PassThru Are you sure you want to permanently remove ALL biometric authentication for user ''? (y/N): : y Successfully unregistered passkey on server Successfully unregistered credential for @keepersecurity.com Name Value ---- ----- Username Message Biometric credentials unregistered successfully CredentialId ......OfRGyfRRR2nPv78NMuM Success True ``` {% endtab %} {% tab title="Python CLI" %} ```sh My Vault> biometric unregister ``` **Flags** **--confirm** : this will skip the verification dialog **Output examples** ``` Are you sure you want to disable biometric authentication for user 'user@example.com'? (y/n): y Biometric authentication has been completely removed for user 'user@example.com'. Default authentication will be used for future logins. ``` {% endtab %} {% tab title="DotNet CLI" %} This command will be used to deactivate biometric credential from Keeper, meaning the Keeper platform will stop accepting the given cryptographic credential for logging in the user. **Example:** ```bash My Vault> biometric remove Are you sure you want to remove Windows Hello biometric credential for ''? (y/N): y Biometric credential removed for user: '' ``` {% endtab %} {% endtabs %} ### Change Name Command This command changes the display name of the given device {% tabs %} {% tab title="PowerCommander" %} Not Implemented {% endtab %} {% tab title="Python CLI" %} ```sh My Vault> biometric update-name ``` This command provides an interactive interface to: 1. Select from available credentials 2. Enter a new friendly name (max 32 characters) 3. Confirm the update **Example output:** ``` Found 2 biometric credential(s) with friendly names Available Biometric Credentials: -------------------------------------------------- 1. Commander CLI (MacBook) Created: January 15, 2024 Last Used: Today 2. Commander CLI (Desktop) Created: January 10, 2024 Last Used: January 18, 2024 Select credential number (1-2): 1 Selected: Commander CLI (MacBook) Current Name: Commander CLI (MacBook) Enter a new friendly name (max 32 characters): New name: Personal MacBook Update Summary: -------------------- Current Name: Commander CLI (MacBook) New Name: Personal MacBook Proceed with update? (y/n): y Passkey Update Results: ============================== Status: Success Old Name: Commander CLI (MacBook) New Name: Personal MacBook Message: Passkey friendly name was successfully updated ============================== ``` {% endtab %} {% endtabs %}