Biometric login Commands
This page details on how keeper uses biometric login in different platforms
How it works
Biometric login allows users to authenticate using a biometric credential (fingerprint, face scan, or other secure token) without entering a password. Keeper treats these credentials as cryptographic tokens tied to the user.
Biometric (Windows Hello) must be configured in your windows device. For more detail you can refer Windows Hello configuration guide here.
1. Credential Creation (Registration)
A biometric credential is generated locally on the user’s device.
This creates a public/private key pair.
The private key is stored securely on the device and never leaves the device.
The public key is sent to Keeper and registered with the user account.
Keeper now associates this public key with the user for future authentication.
2. Authentication (Login)
When logging in with biometrics, the device signs a cryptographic challenge using the private key.
This signed challenge (token/assertion) is sent to Keeper.
Keeper validates the signature using the previously registered public key.
If validation succeeds:
Keeper treats the token as proof of identity.
The user is granted access to the vault/session.
3. Key Principles
Zero-Knowledge Security – Keeper never receives biometric data or the private key; it only stores the public key.
Device-Bound Credentials – The credential is tied to the device that created it.
Password-less Login – Once registered, the credential can replace the master password or act as a second factor.
Fallback Methods – Users can still use passwords or other 2FA methods if biometric login fails.
Requirements
Power Commander supports Biometric login with windows hello only.
Prerequisites:
Needs windows 11 or higher
PowerCommander version 1.0.7
Python CLI supports biometric login with both windows hello and MacOS Python 3.10 or higher is required
This set of commands are only supported for dotnet 472 on windows.
Supported Commands
This is list of commands supported
Register Biometric Command
This command creates a new passkey with currently logged in user's email. This passkey will be used for authenticating user when they want to login once we set biometric login as default login method.
To use this command you have to be logged in on CLI.
Note:
After executing this command, user has to register the device with Keeper to use biometric as default login method.
Persistent login takes precedence over biometric login, so if the device has persistent login enabled, biometric credentials are not verified during login
Support: This Command supports windows hello only.
Flags:
PassThru : this flag will prevent printing of credential ID and such details from printing, when set to true this prints the details, else details are not printed.
Examples
With PassThru flag
Without PassThru flag
Support: This command supports both windows and MacOS
This command creates a new passkey with currently logged in user's email. this passkey will be used for authenticating user when they want to login once we register biometric login on a device.
To use this command, you have to be logged in on CLI.
Note:
After executing this command, user has to register the device with Keeper to use biometric as default login method.
Persistent login takes precedence over biometric login, so if the device has persistent login enabled, biometric credentials are not required during login.
Only supported on windows and for build with net472 framework.
Show Credential Command
This command shows all the credentials which have been registered to the given account, along with the authenticator type, credential ID, date created and last used date
To use this command you have to be logged in on CLI
Flags
IncludeDisabled - This will show the details of credentials which are used earlier but are no longer active along with active ones
Example
Sample Output:
This command shows all the credentials which have been registered to the given account, along with the authenticator type, credential ID, date created and last used date
To use this command, you have to be logged in on CLI
Example:
Verify Credential Command
This command will be used to authenticate your session with credential stored. This same functionality will be used when we are trying to login using biometrics
Flags:
Purpose - This can be either login or reauth . This tells the server whether we are trying to check credential for logging in or to verify whether we are logged in.
PassThru - This will decide whether we are showing the command output related to credential ID etc . by default this is false, so we wont be seeing any such output details
Sample Output
Flags:
--purpose - this can be vault or reauth. This flag will set the purpose to vault/reauth. this is optional flag
Example output:
This command will be used to authenticate your session with credential stored. This same functionality will be used when we are trying to login using biometrics.
Example:
Unregister Credential Command
This command will be used to deactivate credential from keeper, meaning the keeper platform will stop accepting the given cryptographic credential as tied to user
Flags :
CredentialId - this is the credential ID of the credential to be deactivated. if nothing is given then all
PassThru - This is the filter for result, this is by default false, so no output related to technicalities is returned to user when executing this command, but if this flag is given, then user can see the details of credential deleted
Example output :
Flags
--confirm : this will skip the verification dialog
Output examples
This command will be used to deactivate biometric credential from Keeper, meaning the Keeper platform will stop accepting the given cryptographic credential for logging in the user.
Example:
Change Name Command
This command changes the display name of the given device
Not Implemented
This command provides an interactive interface to:
Select from available credentials
Enter a new friendly name (max 32 characters)
Confirm the update
Example output:
Last updated
Was this helpful?