As this is my first post I will try to remain civil. A few days ago I flashed my Pixel 7 Pro and was happy with the speed compared to my stock s22 ultra I've been using for a bit. However I didn't move everything over because I wanted to do a test first. The "unlock it and mess around a couple times a day" test, which is as it says I unlock my phone and will do some stuff, multiple times a day. September 15th 2024 at 9:15pm I went o unlock using fingerprint and to my disappointment I was denied for the sake of "security." Even though a pin input can be see by a shoulder hovering individual and security cameras. Now with other phones I have dealt with this and have been forced to put in my pin in public situations many times. I was hoping that with this OS I'd get a truly more secure experience, but sadly I didn't. So, now I'm just curious what is the real reason it wasn't removed or at the very least made to be configurable from Never Force Pin/Password - Yearly (or longer.) Yes I know that theoretically fingerprint isn't secure because it uses fragments of the fingerprint it captures, however it would take far longer, and/or be far harder to do so than say randomly bump into your target and silently watch them input their pin over their shoulder and well you get the idea.
Why not remove/make longer the require pin input after 3 days?
WhatTheFluff The developers are hard at work on Android 15, but also on a PIN+fingerprint unlock system, so it will be possible to set a long complex passphrase but most of the time use a fingerprint plus a short PIN.
That will mean somebody who can compel your fingerprint will not get in without knowing your PIN, and somebody who sees your short PIN can't get in without your fingerprint.
There is no announced time frame for this feature to ship, but it does sound like it's in the works.
[deleted]
- Edited
WhatTheFluff imagine a scenario when your fingerprint doesn't get accepted (say injury to your finger) and PIN is not present. How will you unlock the device besides factory resetting it and losing all data? You are concerned about shoulder surfing when entering the PIN for which case you can use PIN scrambling, but not at all about what potentially personal info gets displayed immediately afterwards.
[deleted] Easy! Most humans have multiple fingers right? Well all you need to do is have your thumbprint of both of your thumbs, or if someone using the device have a birth defected hand (like me) they could just use another finger.
[deleted] If someone is shoulder surfing they will see what the numbers are, regardless of using pin scrambling or not. If someone has been picked as a target as possible prey seeing personal info afterward would just solidify the choice of the proceeding with whatever their plan is.
de0u That's ok, but In order for it to be fully secure they would have to make fingerprint 100% always usable, even after restart. Because if they didn't most people would do the faster thing and pick one number and hit it four times, so unlocking would be as fast as fingerprint->pin=four x4 which isn't good but the large majority like speed over security until something bad happens. Thank you for replying though, I have read briefly about that being a possibility but it's good to hear more unlock features being in the works, hopefully.
WhatTheFluff That's ok, but In order for it to be fully secure they would have to make fingerprint 100% always usable, even after restart.
I don't believe that is possible given the way storage encryption is implemented at present.
My understanding is that the fingerprint reader can report that a fingerprint is/isn't in the enrolled set, but that the fingerprint reader doesn't release encryption tokens because it doesn't have access to them. My understanding is that after a restart the only way to access private data for a profile is for the profile's storage key to be derived from the PIN/passphrase.
Further information: https://grapheneos.org/faq#encryption
If you're in that risky of a situation, leave the phone locked until you are somewhere private.
When I get one of those required password -to-unlock events (instead of biometric) I just duck into the bathroom or similar space, if I'm in public. If I feel there may still be cameras or people watching I put the phone into my pocket until I get home.
- Edited
WhatTheFluff Since this happens after restart, and you don't want to input your PIN, you can disable auto reboot so that the phone doesn't ask you for the PIN while in BFU (Before First Unlock) state.
The filesystem does not open a number of things until after first unlock, including secondary user profiles, hence why you cannot switch users in the BFU state until after you unlock the Owner profile. This is a security feature, and GrapheneOS is a security-focused OS. Nonetheless, this is standard on AOSP as far as I know.
Your problem is solved by setting auto-reboot to a period that will reboot your phone at night. 4 hours or so. This way you will enter the pin in the morning at home and the fingerprint timer will be reset.
Speeduser7533 That's not always doable. Yes sometimes if you just want to check your email because you're board you can just get to a private area then input your pin and it's all good. However, for me personally it has happened where I needed to use my phone for document validation because I didn't have my wallet with me or I needed to answer an email sooner rather than later.
yore The problem isn't because of the phone restarting.
Rizzler The problem isn't because of the phone rebooting. If it was, the error message would instead read something along the lines of: "You must input your pin after a restart."
de0u A secondary thing for the Fingerprint+PIN after security option. There should be a way to have separate pins, so your main PIN only one is one set of numbers that is difficult to guess and takes more effort to type in and the joint one is faster to input so it still is a somewhat fast unlocking experience for the owner of the device. This reply is mainly for developer consideration.
WhatTheFluff A secondary thing for the Fingerprint+PIN after security option. There should be a way to have separate pins, so your main PIN only one is one set of numbers that is difficult to guess and takes more effort to type in and the joint one is faster to input so it still is a somewhat fast unlocking experience for the owner of the device.
I think there's a good chance the feature will be of use along those lines.
Though I suspect there's also a fair likelihood that people will want it to be done differently when it ships! I hope people will understand that the screen-unlock code has very strong security implications, and is also very complicated, so that it may be infeasible to support lots of options and variations.
Meanwhile, GrapheneOS is open source, so people are free to address things they believe are major deficiencies by building their own customized version.
WhatTheFluff Android has a standard 48 hour timer after the last time the primary unlock method was successfully used. Biometric unlock is only usable as a secondary unlock mechanism with a low limit on the number of attempts and a way to disable it (lockdown mode). It works this way for security reasons and to avoid users forgetting their primary unlock method. If users never had to use the primary lock method, it would be forgotten much more frequently and user data would be lost. 48 hours is a very long time for biometric unlock to be usable so there's a planned feature to make the timer configuration. It's a very low priority especially since 2-factor fingerprint unlock is the main planned approach to addressing the insecurity of biometric unlock in a strong way rather than depending on a timer.
[deleted] Fingerprints change over time and there's never a strong guarantee it will continue working. It doesn't require an injury for it to stop working. The fingerprint unlock implementation has to update the model for the fingerprint every time there's a successful unlock to deal with fingerprints changing over time. It's very easy for it to stop working especially if it's not used for weeks. It would not keep working reliability if it only used the initial model from registration but rather would get less and less usable until it mostly or completely stopped working.
WhatTheFluff They can unlock your phone via fingerprint unlock without even spying on you through either coercion or building a physical replica of the fingerprint. You leave fingerprints all over everything you touch so in reality it's not actually particularly secret and it's not a primary unlock method for good reason.
WhatTheFluff Fingerprint unlock is not available as a primary unlock method for security and reliability reasons. It's a limited secondary unlock mechanism. It still creates a major vulnerability even with those limitations, which is why we're developing the 2-factor fingerprint unlock feature.
Rizzler That's incorrect. It has nothing to do with the time since boot. Android has a standard 48 hour timer for secondary unlock being usable after the primary unlock method is successfully used. If you want to reset the timer, you can simply successfully use the primary unlock method. Since the timer is 48 hours, unlocking with the primary unlock method once per day will avoid the secondary unlock methods being disallowed other than reboots, triggering lockdown or hitting the failure limit.
WhatTheFluff It was explained in the first reply that we're adding the option to set a 2nd factor PIN to fingerprint unlock. There's no significant reason for us to add secondary PIN option. Entering a 4 digit PIN by itself is hardly more convenient than entering a 4 digit PIN after using a fingerprint to trigger the PIN entry. Either way, you have to trigger the PIN entry, and it might as well be through fingerprint unlock for this purpose. Unclear why we would add another approach.
- Edited
GrapheneOS So the reboot triggers mandatory use of the primary unlock method. Therefore resetting the timer when unlocked. My suggestion perfectly applies regardless of the technicality that the reboot itself doesn't reset the timer. Effectively it does though, because it foces you to unlock it with the primary method which in fact resets it, as you said.
WhatTheFluff Yes i know. Im suggesting turning auto reboot to a value which reboots your phone at night. You will then have to unlock it in the morning and then the timer will be reset. You will not worry about fingerprint getting disabled during the day.
I think they were referring to the secondary unlock timer that is different from the feature that prevents fingerprint unlocking after a reboot.
GrapheneOS Android has a standard 48 hour timer for secondary unlock being usable after the primary unlock method is successfully used.
[deleted]
- Edited
WhatTheFluff in a case of an event of an official nature (validating document for example) you simply ask those surrounding you to respect your privacy while you are inputting your credentials. If you are dealing with reasonable individuals, they would pretty much expect the same.
GrapheneOS Thank you for taking time out of your day to respond.
GrapheneOS It works this way for security reasons
I've seen that said a lot by developers of Android, however they never gave any actually valid reasons that couldn't just have configure options so the user can choose how short or long they want the timer to be.
GrapheneOS to avoid users forgetting their primary unlock method
Quoted above is both Valid and Invalid. As: yes humans forget things quite often, sometimes they can remember them, sometimes not. With passwords and pins it will always vary per person how long/ short and if they forget them. The part making it invalid though is that, just because according to securitymagazine "15% of respondents did so at least once a week" (could forget their pin and need to reset it within a week) doesn't mean everyone using an android device should be force to deal with that. However if the 2-fac fingerprint has no timer associated with it then that would be a better way to give peace of mind to a user while still having a quick fingerprint reading and then inserting a pin. Personally I would love to be able to have a 2-fac pin and a rebooted device pin that could different from each other so I can get in quickly with a fast fingerprint and pin input with pin A then have a longer secure pin B that will only ever be used for after my device has restarted from manual, auto-reboot, or after update rebooting. Again, thank you GrapheneOS moderator for replying, and confirming that the 2-Fac is in the works.
- Edited
It works this way for security reasons
WhatTheFluff I've seen that said a lot by developers of Android, however they never gave any actually valid reasons that couldn't just have configure options so the user can choose how short or long they want the timer to be.
But in this thread two reasons were mentioned.
- I wrote (de0u ):
My understanding is that the fingerprint reader can report that a fingerprint is/isn't in the enrolled set, but that the fingerprint reader doesn't release encryption tokens because it doesn't have access to them. My understanding is that after a restart the only way to access private data for a profile is for the profile's storage key to be derived from the PIN/passphrase.
If the fingerprint reader could decide to decrypt storage before the first unlock, or whenever it wanted to, that would significantly increase attack surface. That is a security reason.
- The official project account wrote (GrapheneOS):
You leave fingerprints all over everything you touch so in reality it's not actually particularly secret and it's not a primary unlock method for good reason.
Leaving unlock information (fingerprint images) around, so it's not secret, is also a security reason.
Any given person might choose to weigh those reasons lower than some other factors, but that doesn't mean that no "actually valid reasons" have been presented.
I can't help observing that Apple devices require a PIN or passphrase after reboot (and, I think, at other times). So again fingerprints aren't being used as a primary unlock method. If there are no "actually valid reasons" for this practice, is it just coincidence?
- Edited
WhatTheFluff Personally I would love to be able to have a 2-fac pin and a rebooted device pin that could different from each other
This is the exactly how the upcoming feature will work. You set a primary PIN or password. For ease of remembering and strong security, if you dont want to rely on the Titans password/PIN brute forcing protection, probably want to use a 7 or 8 word diceware passphrase.
There is a planned future feature to include a random diceware passphrase and PIN generator into GrapheneOS.
Then you can set a different, likely shorter, PIN to use along with your fingerprint for the 2 factor unlocking.
WhatTheFluff I went o unlock using fingerprint and to my disappointment I was denied for the sake of "security."
This does have some potential security advantages as after the time out it stops an adversary being able to unlock with a copied or forced fingerprint. Also it can help with stopping new users forget their PIN/pass.
I agree it would be good to be able to adjust the time required before this was triggered for the reasons you state. To my mind this will have even more value once the 2 factor unlock feature is released.
Untill there is the ability to adjust the time or disable the automatic lockout of fingerprint unlocking it is possible to work around hitting that problem by rebooting the device more frequently. For people who want higher security that is good practice anyway as the process of rebooting can flush attackers who have a foothold on a device but not yet managed the more difficult task of achieving persistance.
As this has happened a couple times now I will update this again. First, the update with the fingerprint + pin security setting did come out. I was happy to see that it did indeed work, except twice now i've gotten the error "Added security required. PIN not used for a while" once again forcing me to put in my base android pin, disabling the fingerprint until I do so, fully removing any benefit of the updated security option. if there is a user friendly way to turn off the forcing pin input after x time in the settings please put the full directions of it in this thread, thank you.
WhatTheFluff Why not make it a habit to either set the phone to fully reboot during night or when you first unlock the phone in the morning at home, do a primary pin unlock?
To my knowledge you can't modify the 48hrs timer for the biometrics unlock being blocked.
WhatTheFluff The project account talked about this recently here: https://discuss.grapheneos.org/d/19671-asking-for-profile-passwords-randomly-is-no-longer-a-good-security-practice/11