[Feature Request] Windows hello support

[onurbbr]

Normally, in order to enter the admin password, the system must have the highest level of UAC. We can use windows hello instead. Can you add this to gsudo? The following project can be given as an example.

[gerardog]

There are two very different approaches for this.

• One is to configure Windows Hello face recognition, and then configure UAC to ask for credentials using Local Security Policy
  

  I did, and now UAC accepts face recognition, the problem is that typing user/password is the popup's default and takes 2 clicks to enable face recognition
  ¡on every single elevation ! on my desktop machine. But my notebook uses fingerprint as default (instead of user/password) so it is definitely possible to change the default. But I don't know how yet.

• Doing by code as Wsl Hello is much much complex, because gsudo relies on the UAC elevation... at least starting a cache requires UAC.. and will always do unless gsudo is installed as a service... which is a much bigger scenario...
  Maybe the cache start could show UAC, and the following elevations (the credentials cache) could do face recognition...

  I will give it some thought...

[JohnLGalt]

FWIW, KeePassXC has managed to enable a 'quick login" feature that connects directly to Windows Hellos without needing to enter a password - being a GUI-based app, it does have a button to quick unlock, and then once the facial recognition kicks in Windows Hello also throws up a dialog box that requires you to press OK after confirmation, so I'm already used to a 2 click methodology. But if you could reduce that to a single click (as in automatically accept the facial recognition, which I suspect Windows Hello will not allow you to do) that would be great.

[gerardog]

Sure thing @JohnLGalt.

I´ve tried on my notebook with another webcam that supports face recognition and it worked. Just by enabling face recognition in windows settings, (provided that you first changed UAC to prompt for credentials) the UAC popup starts face recognition (without clicks), recognizes my face, and only then allows to click once on the Yes button. So this is possible without any change to gsudo whatsoever, at least on that Windows 11 Home. I still can´t make it work on my Windows 11 Pro desktop machine, not sure why, if it is a windows edition problem or what is the problem.

[gerardog]

Got Windows Hello Face Recognition working on Win11 Pro by removing drivers (didnt worked) and changing Local Security Policy:

[ananyosen]

Windows Hello already works with UAC prompts. My current account setup is like this

actual user account is a microsoft account, also not an administrator
a different account that I don't generally login with, local account, administrator, has fingerprints associated with the account.

Now whenever I need to escalate privileges from my actual non admin account, UAC prompt shows up with password fields for the admin account. At this point, I can use the fingerprint reader, use the correct finger for the admin account and UAC grants elevation. It even shows a brief windows hello animation on the prompt itself.