Please, additionally request password for unlocking, when trying to edit 2FA record (important for biometric authentication!)

[faramonius]

The problem is that short passwords are ineffective for unlocking. That's why we have to use long passwords. It is tedious to enter them every time, so when it is technically possible to replace the password with a fingerprint, many people use it.

Aegis, unlike some other 2FA managers (e.g. freeOtp), allows you to enable edit mode for all fields of each 2FA record. In this mode it is easy to view and copy the 2FA initialization string. That is, a possible attacker only needs to solve the fingerprint problem - and all stored strings will be at his fingertips.

Therefore, I propose to protect with biometrics only the viewing of generated codes. And for access to the editing mode always additionally request a password. It is also useful to request it twice if biometric protection is not used.

[alexbakker]

Biometric unlock in Aegis is designed to be a credential equivalent to the password in terms of access. We've had similar requests in the past to make some type of distinction between the two, but we're not going to add artificial security layers on top that cannot be enforced at the level of the vault file. Once the vault file is decrypted, you have full access, regardless of whether that was done using the biometric key slot or the password key slot.