Biometric login Commands
This page details on how keeper uses biometric login in different platforms
How it works
Biometric login allows users to authenticate using a biometric credential (fingerprint, face scan, or other secure token) without entering a password. Keeper treats these credentials as cryptographic tokens tied to the user.
Biometric (Windows Hello) must be configured in your windows device. For more detail you can refer Windows Hello configuration guide here.
1. Credential Creation (Registration)
A biometric credential is generated locally on the user’s device.
This creates a public/private key pair.
The private key is stored securely on the device and never leaves the device.
The public key is sent to Keeper and registered with the user account.
Keeper now associates this public key with the user for future authentication.
2. Authentication (Login)
When logging in with biometrics, the device signs a cryptographic challenge using the private key.
This signed challenge (token/assertion) is sent to Keeper.
Keeper validates the signature using the previously registered public key.
If validation succeeds:
Keeper treats the token as proof of identity.
The user is granted access to the vault/session.
3. Key Principles
Zero-Knowledge Security – Keeper never receives biometric data or the private key; it only stores the public key.
Device-Bound Credentials – The credential is tied to the device that created it.
Password-less Login – Once registered, the credential can replace the master password or act as a second factor.
Fallback Methods – Users can still use passwords or other 2FA methods if biometric login fails.
Requirements
Power Commander supports Biometric login with windows hello only.
Prerequisites:
Needs windows 11 or higher
PowerCommander version 1.0.7
Python CLI supports biometric login with both windows hello and MacOS Python 3.10 or higher is required
This set of commands are only supported for dotnet 472 on windows.
Supported Commands
This is list of commands supported
Register Biometric Command
This command creates a new passkey with currently logged in user's email. This passkey will be used for authenticating user when they want to login once we set biometric login as default login method.
To use this command you have to be logged in on CLI.
Note:
After executing this command, user has to register the device with Keeper to use biometric as default login method.
Persistent login takes precedence over biometric login, so if the device has persistent login enabled, biometric credentials are not verified during login
Register-KeeperBiometricCredentialSupport: This Command supports windows hello only.
Flags:
PassThru : this flag will prevent printing of credential ID and such details from printing, when set to true this prints the details, else details are not printed.
Examples
With PassThru flag
PS> Register-KeeperBiometricCredential -PassThru
Biometric Credential Creation for Keeper
Please complete Windows Hello verification to create the credential...
Credential ID stored for user: <user>
Credential created successfully
Success! Biometric authentication "<user>" has been registered.
Please register your device using the "Set-KeeperDeviceSettings -Register" command to set biometric authentication as your default login method.
Name Value
---- -----
Username <user>
Timestamp 26-09-2025 08:01:08
DisplayName <user>
CredentialId ...W25xo-z_9QyWdti5CsQ
Success TrueWithout PassThru flag
PS>Register-KeeperBiometricCredential
Biometric Credential Creation for Keeper
Please complete Windows Hello verification to create the credential...
Credential ID stored for user: <user>
Credential created successfully
Success! Biometric authentication "<user>" has been registered.
Please register your device using the "Set-KeeperDeviceSettings -Register" command to set biometric authentication as your default login method.My Vault> biometric registerSupport: This command supports both windows and MacOS
biometric registerThis command creates a new passkey with currently logged in user's email. this passkey will be used for authenticating user when they want to login once we register biometric login on a device.
To use this command, you have to be logged in on CLI.
Note:
After executing this command, user has to register the device with Keeper to use biometric as default login method.
Persistent login takes precedence over biometric login, so if the device has persistent login enabled, biometric credentials are not required during login.
Only supported on windows and for build with net472 framework.
Show Credential Command
This command shows all the credentials which have been registered to the given account, along with the authenticator type, credential ID, date created and last used date
To use this command you have to be logged in on CLI
Show-KeeperBiometricCredentialsFlags
IncludeDisabled - This will show the details of credentials which are used earlier but are no longer active along with active ones
Example
PS> Show-KeeperBiometricCredentials -IncludeDisabled
Registered Biometric Authentication Methods:
----------------------------------------------------------------------
Id: ....w6ZGlzYWJsZWQ=
Name: Platform Authenticator (DISABLED)
Created: 2025-09-25 10:22:17
Last Used: 2025-09-25 11:12:00
----------------------------------------------------------------------
Id: YlDRvVIYsC0.....
Name: Platform Authenticator
Created: 2025-09-25 12:17:10
Last Used: 2025-09-25 12:26:28
----------------------------------------------------------------------My Vault> biometric listSample Output:
Registered Biometric Authentication Methods:
----------------------------------------------------------------------
Name: Commander CLI (MacBook)
Created: December 20, 2023
Last Used: Today
----------------------------------------------------------------------
Name: iCloud Keychain
Created: December 18, 2023
Last Used: July 10, 2025
----------------------------------------------------------------------
Name: Chrome on Mac
Created: November 15, 2023
Last Used: Never
----------------------------------------------------------------------This command shows all the credentials which have been registered to the given account, along with the authenticator type, credential ID, date created and last used date
To use this command, you have to be logged in on CLI
Example:
My Vault> biometric list
Listing Windows Hello biometric credentials...
# Friendly Name Provider Created Last Used Status
--- ------------- ---------------------- ---------------- ---------------- ------
1 Windows Hello Windows Hello 2025-10-10 19:41 2025-10-10 19:42 Active
2 Windows Hello Windows Hello 2025-10-29 12:59 2025-10-29 14:14 Active
RemVerify Credential Command
This command will be used to authenticate your session with credential stored. This same functionality will be used when we are trying to login using biometrics
Assert-KeeperBiometricCredentialFlags:
Purpose - This can be either login or reauth . This tells the server whether we are trying to check credential for logging in or to verify whether we are logged in.
PassThru - This will decide whether we are showing the command output related to credential ID etc . by default this is false, so we wont be seeing any such output details
Sample Output
PS> Assert-KeeperBiometricCredential -Purpose vault -PassThru
Verification completed successfully!
Name Value
---- -----
Username <username>
Message Windows Hello authentication with Keeper completed successfully
EncryptedLoginToken {}
Purpose vault
CredentialId ....RRR2nPv78NMuM
Success True
IsValid True
My Vault> biometric verifyFlags:
--purpose - this can be vault or reauth. This flag will set the purpose to vault/reauth. this is optional flag
Example output:
Please complete biometric authentication...
Biometric Authentication Verification Results:
==================================================
Status: SUCCESSFUL
Purpose: LOGIN
Login Token: Received
Your biometric authentication is working correctly!
==================================================This command will be used to authenticate your session with credential stored. This same functionality will be used when we are trying to login using biometrics.
Example:
My Vault> biometric verify
Verifying Windows Hello authentication for '<user_email>' (purpose: vault)...
Windows Hello verification successful.
My Vault> biometric verify --purpose=login
Verifying Windows Hello authentication for '<user_email>' (purpose: login)...
Windows Hello verification successful.Unregister Credential Command
This command will be used to deactivate credential from keeper, meaning the keeper platform will stop accepting the given cryptographic credential as tied to user
Unregister-KeeperBiometricCredential -CredentialId <credentialId> -PassThruFlags :
CredentialId - this is the credential ID of the credential to be deactivated. if nothing is given then all
PassThru - This is the filter for result, this is by default false, so no output related to technicalities is returned to user when executing this command, but if this flag is given, then user can see the details of credential deleted
Example output :
PS>Unregister-KeeperBiometricCredential -PassThru
Are you sure you want to permanently remove ALL biometric authentication for user '<username>'? (y/N): : y
Successfully unregistered passkey on server
Successfully unregistered credential for <username>@keepersecurity.com
Name Value
---- -----
Username <username>
Message Biometric credentials unregistered successfully
CredentialId ......OfRGyfRRR2nPv78NMuM
Success TrueMy Vault> biometric unregisterFlags
--confirm : this will skip the verification dialog
Output examples
Are you sure you want to disable biometric authentication for user '[email protected]'? (y/n): y
Biometric authentication has been completely removed for user '[email protected]'.
Default authentication will be used for future logins.This command will be used to deactivate biometric credential from Keeper, meaning the Keeper platform will stop accepting the given cryptographic credential for logging in the user.
Example:
My Vault> biometric remove
Are you sure you want to remove Windows Hello biometric credential for '<user_email>'? (y/N): y
Biometric credential removed for user: '<user_email>'Change Name Command
This command changes the display name of the given device
Not Implemented
My Vault> biometric update-nameThis command provides an interactive interface to:
Select from available credentials
Enter a new friendly name (max 32 characters)
Confirm the update
Example output:
Found 2 biometric credential(s) with friendly names
Available Biometric Credentials:
--------------------------------------------------
1. Commander CLI (MacBook)
Created: January 15, 2024
Last Used: Today
2. Commander CLI (Desktop)
Created: January 10, 2024
Last Used: January 18, 2024
Select credential number (1-2): 1
Selected: Commander CLI (MacBook)
Current Name: Commander CLI (MacBook)
Enter a new friendly name (max 32 characters):
New name: Personal MacBook
Update Summary:
--------------------
Current Name: Commander CLI (MacBook)
New Name: Personal MacBook
Proceed with update? (y/n): y
Passkey Update Results:
==============================
Status: Success
Old Name: Commander CLI (MacBook)
New Name: Personal MacBook
Message: Passkey friendly name was successfully updated
==============================Last updated
Was this helpful?