WhatTheFluff It was explained in the first reply that we're adding the option to set a 2nd factor PIN to fingerprint unlock. There's no significant reason for us to add secondary PIN option. Entering a 4 digit PIN by itself is hardly more convenient than entering a 4 digit PIN after using a fingerprint to trigger the PIN entry. Either way, you have to trigger the PIN entry, and it might as well be through fingerprint unlock for this purpose. Unclear why we would add another approach.
Why not remove/make longer the require pin input after 3 days?
GrapheneOS added the Solved tag .
- Edited
GrapheneOS So the reboot triggers mandatory use of the primary unlock method. Therefore resetting the timer when unlocked. My suggestion perfectly applies regardless of the technicality that the reboot itself doesn't reset the timer. Effectively it does though, because it foces you to unlock it with the primary method which in fact resets it, as you said.
WhatTheFluff Yes i know. Im suggesting turning auto reboot to a value which reboots your phone at night. You will then have to unlock it in the morning and then the timer will be reset. You will not worry about fingerprint getting disabled during the day.
I think they were referring to the secondary unlock timer that is different from the feature that prevents fingerprint unlocking after a reboot.
GrapheneOS Android has a standard 48 hour timer for secondary unlock being usable after the primary unlock method is successfully used.
[deleted]
- Edited
WhatTheFluff in a case of an event of an official nature (validating document for example) you simply ask those surrounding you to respect your privacy while you are inputting your credentials. If you are dealing with reasonable individuals, they would pretty much expect the same.
GrapheneOS Thank you for taking time out of your day to respond.
GrapheneOS It works this way for security reasons
I've seen that said a lot by developers of Android, however they never gave any actually valid reasons that couldn't just have configure options so the user can choose how short or long they want the timer to be.
GrapheneOS to avoid users forgetting their primary unlock method
Quoted above is both Valid and Invalid. As: yes humans forget things quite often, sometimes they can remember them, sometimes not. With passwords and pins it will always vary per person how long/ short and if they forget them. The part making it invalid though is that, just because according to securitymagazine "15% of respondents did so at least once a week" (could forget their pin and need to reset it within a week) doesn't mean everyone using an android device should be force to deal with that. However if the 2-fac fingerprint has no timer associated with it then that would be a better way to give peace of mind to a user while still having a quick fingerprint reading and then inserting a pin. Personally I would love to be able to have a 2-fac pin and a rebooted device pin that could different from each other so I can get in quickly with a fast fingerprint and pin input with pin A then have a longer secure pin B that will only ever be used for after my device has restarted from manual, auto-reboot, or after update rebooting. Again, thank you GrapheneOS moderator for replying, and confirming that the 2-Fac is in the works.
- Edited
It works this way for security reasons
WhatTheFluff I've seen that said a lot by developers of Android, however they never gave any actually valid reasons that couldn't just have configure options so the user can choose how short or long they want the timer to be.
But in this thread two reasons were mentioned.
- I wrote (de0u ):
My understanding is that the fingerprint reader can report that a fingerprint is/isn't in the enrolled set, but that the fingerprint reader doesn't release encryption tokens because it doesn't have access to them. My understanding is that after a restart the only way to access private data for a profile is for the profile's storage key to be derived from the PIN/passphrase.
If the fingerprint reader could decide to decrypt storage before the first unlock, or whenever it wanted to, that would significantly increase attack surface. That is a security reason.
- The official project account wrote (GrapheneOS):
You leave fingerprints all over everything you touch so in reality it's not actually particularly secret and it's not a primary unlock method for good reason.
Leaving unlock information (fingerprint images) around, so it's not secret, is also a security reason.
Any given person might choose to weigh those reasons lower than some other factors, but that doesn't mean that no "actually valid reasons" have been presented.
I can't help observing that Apple devices require a PIN or passphrase after reboot (and, I think, at other times). So again fingerprints aren't being used as a primary unlock method. If there are no "actually valid reasons" for this practice, is it just coincidence?
- Edited
WhatTheFluff Personally I would love to be able to have a 2-fac pin and a rebooted device pin that could different from each other
This is the exactly how the upcoming feature will work. You set a primary PIN or password. For ease of remembering and strong security, if you dont want to rely on the Titans password/PIN brute forcing protection, probably want to use a 7 or 8 word diceware passphrase.
There is a planned future feature to include a random diceware passphrase and PIN generator into GrapheneOS.
Then you can set a different, likely shorter, PIN to use along with your fingerprint for the 2 factor unlocking.
WhatTheFluff I went o unlock using fingerprint and to my disappointment I was denied for the sake of "security."
This does have some potential security advantages as after the time out it stops an adversary being able to unlock with a copied or forced fingerprint. Also it can help with stopping new users forget their PIN/pass.
I agree it would be good to be able to adjust the time required before this was triggered for the reasons you state. To my mind this will have even more value once the 2 factor unlock feature is released.
Untill there is the ability to adjust the time or disable the automatic lockout of fingerprint unlocking it is possible to work around hitting that problem by rebooting the device more frequently. For people who want higher security that is good practice anyway as the process of rebooting can flush attackers who have a foothold on a device but not yet managed the more difficult task of achieving persistance.
5 months later
As this has happened a couple times now I will update this again. First, the update with the fingerprint + pin security setting did come out. I was happy to see that it did indeed work, except twice now i've gotten the error "Added security required. PIN not used for a while" once again forcing me to put in my base android pin, disabling the fingerprint until I do so, fully removing any benefit of the updated security option. if there is a user friendly way to turn off the forcing pin input after x time in the settings please put the full directions of it in this thread, thank you.
WhatTheFluff Why not make it a habit to either set the phone to fully reboot during night or when you first unlock the phone in the morning at home, do a primary pin unlock?
To my knowledge you can't modify the 48hrs timer for the biometrics unlock being blocked.
WhatTheFluff The project account talked about this recently here: https://discuss.grapheneos.org/d/19671-asking-for-profile-passwords-randomly-is-no-longer-a-good-security-practice/11