Can there be some functionality similar to a boot password?

Harald

Hello all,

I am wondering if there might be some functionality that approximates having a secure password to enter at boot time, that is separate from the password/PIN to login to the device (or profile). The scenario: the user is a university student and spends much of the day on the campus. There are cameras everywhere on the campus. Sometimes the device rejects the fingerprint due to moisture, user's finger is slightly dirty or wrinkled, or whatever reason. Now the user needs to use the PIN to unlock the device, but he knows there is a high chance of his PIN being captured by a camera.

Option 1: The user goes to the bathroom multiple times a day just to enter the PIN away from the cameras, because his finger was moist when he tried to open the phone. He accepts that if he is in a lecture, he will be unable to do anything on the phone until the lecture is over (1-2 hours).

Option 2: The user has a secure password that only needs to be entered when the phone is rebooted, so he accepts that his regular PIN may be captured by camera. He reboots the phone when he requires the additional security.

Question: Is there any configuration which approximates Option 2?

Overlay1404

Harald couldn't this situation be avoided pretty easily by using a privacy screen filter and the PIN scramble feature.
All the camera would capture is your finger positions at that point, which would tell them the wrong PIN anway due to the scramble.

Harald

Alternatively, is there any benefit to using the Owner profile as the secure "boot" password, while doing all things in a secondary profile with a shorter PIN?

ryrona

@Harald I was going to suggest that, but then I got uncertain whether the secondary user profiles really use the passphrase from the owner profile for protection too. I mean, for someone taking your phone when it is turned off, and who lack the capabilities to disassemble it, they are forced to unlock the owner profile before unlocking any other profile. But I am not certain this is true for someone who can disassemble your device and perform sophisticated attacks.

Here is an alternative that may work for you.

How about putting everything privacy sensitive in a secondary profile you keep locked and logged out while being on campus? Would that work for you? I mean, if they can see you entering your passphrase for a profile, they can also see what you are doing on that profile, such as chat conversations and so. So I guess you are not accessing privacy sensitive things anyway while on campus, and thus could put them in their own profile with a strong passphrase you never have to enter while on campus, even if you reboot your phone?

Harald

ryrona

I also do not know how it works with the secondary profile. I think I read somewhere that our devices are secure against brute-forcing a PIN, which would indicate to me that attempts can only be done through the phone UI. In turn, this should mean that no one can bypass unlocking Owner before unlocking another profile. Perhaps a developer can offer some words.

This being said. Very little that I do is critically sensitive and I acknowledge shoulder surfing as a risk when doing anything on campus. Sensitive things are usually not persistent on the device anyway and I do them in locations I am confident are free from surveillance. Further, in my daily usage, I have found keeping a secondary "more privacy-sensitive" profile to be very cumbersome. There is too much overlap in my use and I am constantly needing to switch into that profile anyway, sometimes using a USB drive to move files between them.

But even though there is nothing much which is super critical that would persist for anyone to find. I still do not like the idea of my PIN being the only defense, given how frequently I need to enter it where others can potentially see it. It would be nice to have some mechanism in-between "just a PIN" and "emergency duress reset" similar to requiring a secure passphrase only on reboot.

Harald

Overlay1404

I do like the PIN scramble. Privacy filter might be suitable for the problem. However it seems a bit like security through obscurity? Also, I strongly dislike the way those look on the screen, I would be more inclined to use an empty Owner profile as a "boot password" than to use one of those.