Switching to secondary userprofile does not disable biometrics primairy profile.

Pocketstar

Hi everyone!
I have a question about fingerprints and userprofiles;
I have made a secondary "outdoor-profile" for outdoor usage containing no personal information.
If a thief rips the phone out of my hand while it is unlocked and runs off with it, at least my primairy profile (the "home-profile") would be at rest and the attacker does not obtain any personal information.
I did not set up a fingerprint on the secondary outdoor profile, but I do have one set up on the primairy home profile.
Is there a way to automatically turn off the fingerprint that belongs to the other profiles the moment I skip to the secondary profile? (Instead of doing it manually every time in security settings)
Such option might reduce the attack vector, my fingerprints are all over the glossy screen and an attacker will have access to those. (An attacker might be able to duplicate those in 3D with a jelly-like substance, not sure)
When I return to the primairy profile, initially the fingerprint feature does not appear on the screen, but it does when I press the power button twice.
I'm using a Pixel 7, but the same problem occurs on my Pixel Tablet as well. (After I press the fingerprint sensorbutton several times without using the password, it will reopen the primairy profile)
Perhaps having an option in profile settings to disable the biometric fingerprint when moving to another profile would be welcome?
I do however use autoreboot, it gives the attacker less time to cook up 3D fingerprints.

Skyway

Pocketstar the owner profile is only at rest after a reboot before logging in .
There is a bug how ever , if you have more then 3 fingerprints registered it won't bring up biometrics when switching profiles but it shouldn't be relied on .
Setting a short auto reboot time would be the best way to put data at rest.

fid02

Pocketstar If a thief rips the phone out of my hand while it is unlocked and runs off with it, at least my primairy profile (the "home-profile") would be at rest and the attacker does not obtain any personal information.

When using a secondary profile, the primary profile (Owner) is not put at rest – it is still in the "after first unlock" (AFU) state. It's necessary to first unlock Owner in order to unlock any other profile. Source: https://grapheneos.org/faq#encryption

Sensitive data is stored in user profiles. User profiles each have their own unique, randomly generated disk encryption key and their own unique key encryption key is used to encrypt it. The owner profile is special and is used to store sensitive system-wide operating system data. This is why the owner profile needs to be logged in after a reboot before other user profiles can be used.

Pocketstar Is there a way to automatically turn off the fingerprint that belongs to the other profiles the moment I skip to the secondary profile? (Instead of doing it manually every time in security settings)

Not automatically, I believe. But you can use the "lockdown mode" (accessible from the Power menu) to temporarily disable fingerprint unlock for the profile in which you enable "lockdown mode". Note that it does not put the profile at rest – it is still in AFU state. Note that "lockdown mode" is turned off the next time you unlock that profile.

Such option might reduce the attack vector, my fingerprints are all over the glossy screen and an attacker will have access to those. (An attacker might be able to duplicate those in 3D with a jelly-like substance, not sure)

Interesting theory. I wonder if there have been experiments and/or research done on the security of the fingerprint sensors of Pixels. Does anyone know?

On a related note, there is an upcoming MFA unlock feature which you might be interested in. It will allow you to have both a fingerprint + PIN as your secondary authentication instead of just a fingerprint.

Pocketstar I do however use autoreboot, it gives the attacker less time to cook up 3D fingerprints.

If the thief locks the device, the auto reboot timer will start. Note that unlocking any profile will cancel the timer, so the thief could in theory keep it unlocked as long as they can, if snatched out of your hand unlocked, as you describe. But they'll of course have to lock the secondary profile in order to attempt to unlock Owner (which as I understand is where you keep the sensitive data), which will start the timer.

Pocketstar

Skyway
Thanks for the reply!
This is very interesting, I did not know this.
Well, I can also go without a biometric fingerprint and create a complex, yet simple to remember password (and besides, we still have the Titan M-2 to prevent bruteforcing)
I am glad I can still use the fingerprint sensor for certain apps without using it for screen unlock.
I registered twho fingers by the way.

Pocketstar

fid02
Thanks for the anwser!
The fingerprint+pin feature sounds fantastic!!
I'll go with just the password untill/if the MFA feature gets released.
But the sensitive data is on the other profile indeed, I guess I am worried too much, and my threat level is very average.