As this is my first post I will try to remain civil. A few days ago I flashed my Pixel 7 Pro and was happy with the speed compared to my stock s22 ultra I've been using for a bit. However I didn't move everything over because I wanted to do a test first. The "unlock it and mess around a couple times a day" test, which is as it says I unlock my phone and will do some stuff, multiple times a day. September 15th 2024 at 9:15pm I went o unlock using fingerprint and to my disappointment I was denied for the sake of "security." Even though a pin input can be see by a shoulder hovering individual and security cameras. Now with other phones I have dealt with this and have been forced to put in my pin in public situations many times. I was hoping that with this OS I'd get a truly more secure experience, but sadly I didn't. So, now I'm just curious what is the real reason it wasn't removed or at the very least made to be configurable from Never Force Pin/Password - Yearly (or longer.) Yes I know that theoretically fingerprint isn't secure because it uses fragments of the fingerprint it captures, however it would take far longer, and/or be far harder to do so than say randomly bump into your target and silently watch them input their pin over their shoulder and well you get the idea.
Why not remove/make longer the require pin input after 3 days?
WhatTheFluff The developers are hard at work on Android 15, but also on a PIN+fingerprint unlock system, so it will be possible to set a long complex passphrase but most of the time use a fingerprint plus a short PIN.
That will mean somebody who can compel your fingerprint will not get in without knowing your PIN, and somebody who sees your short PIN can't get in without your fingerprint.
There is no announced time frame for this feature to ship, but it does sound like it's in the works.
[deleted]
- Edited
WhatTheFluff imagine a scenario when your fingerprint doesn't get accepted (say injury to your finger) and PIN is not present. How will you unlock the device besides factory resetting it and losing all data? You are concerned about shoulder surfing when entering the PIN for which case you can use PIN scrambling, but not at all about what potentially personal info gets displayed immediately afterwards.
[deleted] Easy! Most humans have multiple fingers right? Well all you need to do is have your thumbprint of both of your thumbs, or if someone using the device have a birth defected hand (like me) they could just use another finger.
[deleted] If someone is shoulder surfing they will see what the numbers are, regardless of using pin scrambling or not. If someone has been picked as a target as possible prey seeing personal info afterward would just solidify the choice of the proceeding with whatever their plan is.
de0u That's ok, but In order for it to be fully secure they would have to make fingerprint 100% always usable, even after restart. Because if they didn't most people would do the faster thing and pick one number and hit it four times, so unlocking would be as fast as fingerprint->pin=four x4 which isn't good but the large majority like speed over security until something bad happens. Thank you for replying though, I have read briefly about that being a possibility but it's good to hear more unlock features being in the works, hopefully.
WhatTheFluff That's ok, but In order for it to be fully secure they would have to make fingerprint 100% always usable, even after restart.
I don't believe that is possible given the way storage encryption is implemented at present.
My understanding is that the fingerprint reader can report that a fingerprint is/isn't in the enrolled set, but that the fingerprint reader doesn't release encryption tokens because it doesn't have access to them. My understanding is that after a restart the only way to access private data for a profile is for the profile's storage key to be derived from the PIN/passphrase.
Further information: https://grapheneos.org/faq#encryption
If you're in that risky of a situation, leave the phone locked until you are somewhere private.
When I get one of those required password -to-unlock events (instead of biometric) I just duck into the bathroom or similar space, if I'm in public. If I feel there may still be cameras or people watching I put the phone into my pocket until I get home.
- Edited
WhatTheFluff Since this happens after restart, and you don't want to input your PIN, you can disable auto reboot so that the phone doesn't ask you for the PIN while in BFU (Before First Unlock) state.
The filesystem does not open a number of things until after first unlock, including secondary user profiles, hence why you cannot switch users in the BFU state until after you unlock the Owner profile. This is a security feature, and GrapheneOS is a security-focused OS. Nonetheless, this is standard on AOSP as far as I know.
Your problem is solved by setting auto-reboot to a period that will reboot your phone at night. 4 hours or so. This way you will enter the pin in the morning at home and the fingerprint timer will be reset.
Speeduser7533 That's not always doable. Yes sometimes if you just want to check your email because you're board you can just get to a private area then input your pin and it's all good. However, for me personally it has happened where I needed to use my phone for document validation because I didn't have my wallet with me or I needed to answer an email sooner rather than later.
yore The problem isn't because of the phone restarting.
Rizzler The problem isn't because of the phone rebooting. If it was, the error message would instead read something along the lines of: "You must input your pin after a restart."
de0u A secondary thing for the Fingerprint+PIN after security option. There should be a way to have separate pins, so your main PIN only one is one set of numbers that is difficult to guess and takes more effort to type in and the joint one is faster to input so it still is a somewhat fast unlocking experience for the owner of the device. This reply is mainly for developer consideration.
WhatTheFluff A secondary thing for the Fingerprint+PIN after security option. There should be a way to have separate pins, so your main PIN only one is one set of numbers that is difficult to guess and takes more effort to type in and the joint one is faster to input so it still is a somewhat fast unlocking experience for the owner of the device.
I think there's a good chance the feature will be of use along those lines.
Though I suspect there's also a fair likelihood that people will want it to be done differently when it ships! I hope people will understand that the screen-unlock code has very strong security implications, and is also very complicated, so that it may be infeasible to support lots of options and variations.
Meanwhile, GrapheneOS is open source, so people are free to address things they believe are major deficiencies by building their own customized version.
WhatTheFluff Android has a standard 48 hour timer after the last time the primary unlock method was successfully used. Biometric unlock is only usable as a secondary unlock mechanism with a low limit on the number of attempts and a way to disable it (lockdown mode). It works this way for security reasons and to avoid users forgetting their primary unlock method. If users never had to use the primary lock method, it would be forgotten much more frequently and user data would be lost. 48 hours is a very long time for biometric unlock to be usable so there's a planned feature to make the timer configuration. It's a very low priority especially since 2-factor fingerprint unlock is the main planned approach to addressing the insecurity of biometric unlock in a strong way rather than depending on a timer.
[deleted] Fingerprints change over time and there's never a strong guarantee it will continue working. It doesn't require an injury for it to stop working. The fingerprint unlock implementation has to update the model for the fingerprint every time there's a successful unlock to deal with fingerprints changing over time. It's very easy for it to stop working especially if it's not used for weeks. It would not keep working reliability if it only used the initial model from registration but rather would get less and less usable until it mostly or completely stopped working.
WhatTheFluff They can unlock your phone via fingerprint unlock without even spying on you through either coercion or building a physical replica of the fingerprint. You leave fingerprints all over everything you touch so in reality it's not actually particularly secret and it's not a primary unlock method for good reason.
WhatTheFluff Fingerprint unlock is not available as a primary unlock method for security and reliability reasons. It's a limited secondary unlock mechanism. It still creates a major vulnerability even with those limitations, which is why we're developing the 2-factor fingerprint unlock feature.
Rizzler That's incorrect. It has nothing to do with the time since boot. Android has a standard 48 hour timer for secondary unlock being usable after the primary unlock method is successfully used. If you want to reset the timer, you can simply successfully use the primary unlock method. Since the timer is 48 hours, unlocking with the primary unlock method once per day will avoid the secondary unlock methods being disallowed other than reboots, triggering lockdown or hitting the failure limit.