New 2FA Feature for Unlocking Phones After BFU Mode

gos-users

Hello,

Do you know if there's a release date for the upcoming game-changer from the incredible team at GrapheneOS—the ability to use 2FA after BFU (Before First Unlock)?

Also, do you have any updates on the rewrite that will make the device admin app mode compatible with auto-wipe without requiring a reboot?

Thank you.

de0u

gos-users Do you know if there's a release date for the upcoming game-changer from the incredible team at GrapheneOS—the ability to use 2FA after BFU (Before First Unlock)?

Unlike (for example) Apple and Google, the GrapheneOS project does not typically announce specific dates for features long in advance.

Probably the best way to get early indications of feature releases is to join the alpha/beta-test chat group. This group is primarily for people who have subscribed a device to the alpha or beta release channel to report their experience. Testing releases, especially to the alpha channel, may contain bugs (that's the point!), so running alpha or beta releases may not be a good option for people who depend on a device working exactly right all the time. (The testing channel is not a good place for inquiries about planned release dates for features.)

Please note that I do not speak for the GrapheneOS project.

23Sha-ger

gos-users game-changer

What does it change exactly? there are 2 scenarios here:

1) Your phone is with you, it's wasn't tampered with, and you are unlocking it.
Now you will have to provide the second factor, like a 6 digit code (2FA) in addition to the passphrase,
which might be beneficial to some but I would like to hear about an actual threat model that requires it.
A picky "friend" that knows your first passcode? Then the problem is not GOS, it's your boundaries of trust.

2) You are under pressure, severe or not it's very situational, and your choices are:
A. Providing the actual unlock method, fully unlocking your phone, in case you have nothing to hide
B. Providing the duress PIN - which will wipe the device, but because you realize that what could be
potentially found on the device puts you in worse situation that using option A.

xmachina

de0u does not typically announce specific dates

It would still be nice to have a general time frame, even if it is later voided. Dev politics aside (i.e. backlash over bad date), it's nice to have an idea about when such major features are coming in. They say soon, but do they mean next month or next year? I for one am holding my breath for this as it is the only thing stopping me from having a better password (I have to access my phone often enough that it would be a considerable difficulty to have to enter a long password). I would like to have an idea when I'll get some oxygen.

Of course, I appreciate what the devs are doing and that they have more to consider than just my wishes. This isn't a complaint, just feedback.

de0u

23Sha-ger Your phone is with you, it's wasn't tampered with, and you are unlocking it. Now you will have to provide the second factor, like a 6 digit code (2FA) in addition to the passphrase, which might be beneficial to some but I would like to hear about an actual threat model that requires it.

I don't think that's what the feature will do.

At present there are two unlock methods: PIN/passphrase on the one hand, and fingerprint on the other. Setting a long passphrase means it's hard to type, so some people enable fingerprint unlock. But people can be compelled (by law enforcement, or perhaps even while asleep!) to press a finger onto a screen.

I believe the upcoming two-factor unlock works as follows: in addition to the "real" PIN/passphrase, which is needed to unlock the device at first boot, it is possible to enable fingerprint unlock, and then it is possible to optionally require a different PIN (presumably a short one).

So the secondary PIN is not provided with the primary PIN/passphrase; the secondary PIN is provided with a fingerprint, AFU, subject to some number of fingerprint rejections, etc.

Please note that I do not speak for the GrapheneOS project. And interested parties might wish to consult issue #28.

23Sha-ger

de0u But people can be compelled (by law enforcement, or perhaps even while asleep!) to press a finger onto a screen.

My P8 fingerprint unlock works 3/5 times when I'm awake, not sure how this is possible to force it when you are asleep. This is an interesting vector but not sure it's applicable, the finger must be positioned exactly on the reader
or it will fall back to the passphrase. Hate when this happens - since my passphrase is long and complex.
The fingerprint method stops working after 3 failed attempts. BFU it's always a passphrase, so there are no
fingerprints involved here. BFU as it is right now, and according to Cellebrite's paper, is pretty much solid.
The law enforcement scenario is the same as I described above, either provide the real PIN for them, or the duress one, I'm not sure how this feature will enhance the above 2 outcomes.

Realistically speaking, what is implemented now is a perfect balance of security and usability.
Fingerprint and short PIN? Well yes this might be useful, but this is only AFU. So again, law enforcement
scenario (where you choose to cooperate) doesn't apply. Maybe on P9, where the fingerprint sensor is
more reliable, and in theory can unlock the device "from a sleeping person".

fid02

23Sha-ger My P8 fingerprint unlock works 3/5 times when I'm awake, not sure how this is possible to force it when you are asleep.

My P8 fingerprint sensor works about 99% of the time – unless I have a wet finger. Bad for you that it fails often, but for a lot of people it works fine. Pixel 9 is supposed to have an improved sensor so hopefully future Pixel devices will be more precise.

23Sha-ger The fingerprint method stops working after 3 failed attempts.

Five attempts. After three failed attempts, you can swipe back from the PIN/PW prompt to get two more attempts.

23Sha-ger duress one

Someone who physically forces your finger on the fingerprint reader doesn't need to demand that you hand them a PIN or PW. How is duress PW supposed to help against that scenario? With MFA unlock, duress PIN can actually achieve what you are picturing: imagine an adversary that forces your finger on the sensor against your will, then either throws the phone away when they see the PIN prompt appear because they don't want to bother with it, or demand that you give up the PIN. In the latter scenario, you have the choice of providing them with the duress PIN – if you deem the potential consequences of that action to be acceptable.

N1b

23Sha-ger The law enforcement scenario is the same as I described above, either provide the real PIN for them, or the duress one, I'm not sure how this feature will enhance the above 2 outcomes.

I think there are jurisdictions where police is allowed to demand or enforce a biometric unlock but not a PIN, so there are edge cases where this feature is useful.

And as mentioned above, the other way around is just as neat: Someone gets access to your pin through shoulder surfing or video recordings, but they don't have your fingerprint.

Generally the idea about 2FA is to combine "something you know" with "something you have" or "something you are" to inconvenience any threat actor to access what you protect. I don't see how it's any different for a mobile phone compared to an online account, the general benefits apply.

[deleted] I just shut up and take what features are available currently, because if i were them, i'd be really annoyed with the entitled side of the community. If they dont provide ETA-s, respect that and stop asking for it.

While I understand the frustration, it's not nice or helpful to imply that OP is feeling entitled or annoying the devs. I think their question comes from a place of curiosity and admiration towards the project.

gos-users

xmachina

It's exactly the same for me; I'm waiting for this feature so I can finally set up a proper Diceware password on my profile.

For me, this feature provides protection in situations where someone might be filming me or looking over my shoulder, for example, when I'm on a plane or in another public space. In such cases, they would only be able to unlock my phone in BFU mode. And anyway, they wouldn't be able to change any settings because the real password, which is a Diceware, would still be required.

This is really more about being able to quickly unlock the phone while still having a strong, secure password for the AFU.

So that's why I'd really like to know if it's coming next month, in six months, or a year from now :)

[deleted]

I don't understand why its important to know. They are working on it. That is enough for me. I just shut up and take what features are available currently, because if i were them, i'd be really annoyed with the entitled side of the community. If they dont provide ETA-s, respect that and stop asking for it.

[deleted]

N1b While understanding why you'd think i was implying that they are entitled, i was not trying to do that. My bad on the wording. However i think we all can agree that there is a correlation between entitled people and people asking for ETAs.

fid02

[deleted] However i think we all can agree that there is a correlation between entitled people and people asking for ETAs.

With respect, this is demonstrably incorrect. A "correlation" implies that you are arguing some fact about reality, while what you are doing here is stating a subjective opinion. Here's proof against your statement: I disagree with you.

On the whole, I think it's beneficial to not give a clear ETA or approximate date for feature releases. For one, other concerns could suddenly pop up which requires higher priority. I know that some projects prefer to have a fixed date for a feature request and stick to it no matter what, but my impression is that GrapheneOS prefers releasing privacy and security features that have been extensively tested before launch. For example, I was impressed with the duress password feature and how thought-through it is, including its UI.

When that is said, I'm also excited about the MFA unlock.

gos-users

fid02

Sorry, I didn't mean to start an unnecessary debate. I was simply curious, and you're absolutely right. It's better to release it when everything is ready and thoroughly tested.

[deleted]

fid02 A correlation refers to a statistical relationship between two variables. Based on this, you can make an informed opinion, which Im doing. Your can of course disagree with my opinion on the matter though.

[deleted]

gos-users Its fine, we are just having a civil discussion. Sorry if i made you feel called out.

fid02

gos-users Sorry, I didn't mean to start an unnecessary debate.

Don't be sorry. I think I just saw text that I slightly disagreed with and my brain went haywire. Looking forward to testing duress password with MFA unlock while being high on caffeine. Have a nice day, all. ☕!