r_dac Check your configuration across users if you're using multiple. The Owner user configuration still applies to an extent in secondary users.
2-factor fingerprint unlock feature is now fully implemented
Hi,
I use only the single Owner user, and Private Space isn't enabled.
I saw 2 more occurrences of the 2FA PIN prompt not appearing during unlock today. I am confident that the device was locked prior to the second occurrence because when I put the phone down, I locked it with the power button and intentionally swiped up to confirm it would ask for a password and left it alone for about 3 hours. When I came back to it after 3 hours, I picked it up, applied my fingerprint and it unlocked without prompting for a PIN.
I saved the system log after that occurrence and noted the approximate time of the second occurrence (I can't recall exactly when the first one happened today). As soon as this happens again, I'll save the log once more and hopefully that will provide some useful data for a point of comparison.
I discovered the exact condition that is leading to the 2FA PIN prompt not appearing after fingerprint unlock in some cases.
I confirmed this is repeatable everytime on my device, even after a reboot. I saved a system log which I can share if it's helpful.
Setting required to reproduce:
Always Show Time and Info - toggled on
Confirmed to happen with the following optional settings:
Powerbutton is set to lock immediately, and I confirmed this still happens whether I have a post-display timeout buffer of 5 seconds set, or no buffer (locks as soon as display turns off to the always-on clock) - makes no difference.
So, the exact state is this:
Once the device is locked, either by screen timeout or powerbutton, the screen transitions to the always-on-display with a clock, but no fingerprint icon, nor shortcuts (if enabled).
When in this state, unlock with fingerprint will not trigger 2FA on my Pixel 7.
However, if the screen is first "awoken" out of the always-on-display, such that the screen brightens, the fingerprint icon appears, and shortcuts (if enabled) appear, then 2FA will work correctly.
Hopefully someone can try this on their device to confirm of its isolated to just mine or not.
Thanks
Are you using always-on display?
Are you disabling animations via either Accessibility or Developer options?
We've found an upstream bug in the Android lockscreen implementation which may explain what you've seen.
Yes to both. I have always-on-display and animations disabled via Accessibility menu.
Turning the animations back on changed the always-on-display behaviour I described above. It now shows the fingerprint icon and 2FA PIN appears as expected.
Looks like we found the issue.
r_dac Disabling animations breaks always-on display in a strange way. The upstream biometric handling code ends up thinking the device isn't locked and the UI doesn't display properly. After a fingerprint is used, it thinks it was already unlocked and skips a bunch of the code for handling unlocking including our 2-factor authentication feature. This is a serious upstream bug we'll need to figure out how to resolve. We can implement a temporary workaround for it today.
Right on! Nice work again. It's a great feature.
I wonder, if Graphene devs hadn't implemented the 2FA PIN feature, maybe this upstream AOSP bug would have gone unnoticed for longer than it has, because the standard fingerprint option on its own was still seemingly working fine, even with the display issue on the always-on-display caused by killing animations.
This is the fix for the upstream lockscreen bug which impacted more than 2-factor fingerprint unlock but we haven't identified any actual lockscreen bypass with it:
They had code unnecessarily fetching the animation scale as a string and comparing it to "0" so it broke when they changed it from an integer to a floating point number where the string is "0.0". It's a very silly issue.
Since this is overly fragile, we added a defensive measure to protect against similar issues:
10 days later
- Edited
GrapheneOS The limit on failed fingerprint unlock attempts in GrapheneOS is 5...
I have now tried it several times. The password prompt appears always after the third failed attempt.
I think it's good and would also prefer one attempt to restrict the use of force to unlock the system, which is increasingly being used by state authorities even in so-called constitutional states (when use without 2-factor).
But I definitely want to understand my system very clearly. Why 3 instead of 5 for me?
asd That's the standard Android behavior. After 3 attempts, it shows the prompt. After 5, it does the initial lockout which is the permanent lockout on GrapheneOS since we only permit 5. Standard Android permits 20 in total with 30 second delays between each 5. The reason for showing the prompt after 3 is to reduce it getting locked out by accident.
10 days later
GrapheneOS
OK, this is a nice feature, stopping someone from spying on my primary PIN. Thank you for that.
But, wouldn't it be better to have a whollistic two factor authentication approach. Currently you have to enter your primary PIN after phone restart or when you tapped 3 times with the wrong finger on the fingerprint scan, etc.
Wouldn't it be more secure to have a general/whollistic two factor approach, where you always have to use both factors to login/unlock etc.?
Do you plan to implement such a feature?
GrapheneOS Any idea when this might get fixed, or is it just wait and see?
or when you tapped 3 times with the wrong finger on the fingerprint scan, etc.
It prompts for it after 3 failures but you get 5 failures in total, and we can make this configurable.
You can extend the 48 hours after last successful primary unlock by doing primary unlock again.
Wouldn't it be more secure to have a general/whollistic two factor approach, where you always have to use both factors to login/unlock etc.?
No, that would regularly result in data loss. Biometrics aren't reliable enough to be used for primary unlock. The intention is also that people use a strong passphrase for primary unlock when using this feature.
a month later
I just read everything, thank you for developing the new features. I do have a question:
Assuming the secure element is exploited and the fingerprint is acquired (AFU, within 48 hours), are they only limited to bruteforcing the primary passphrase or can they bruteforce the second factor PIN to complete the unlock?
AFU, within 48 hours
Our locked device auto-reboot feature defaults to 18 hours on GrapheneOS and can be lowered further. The device will be BFU before reaching that.
If they successfully exploit the device and it's AFU, they get nearly all the data. No need for brute forcing. GrapheneOS makes it very hard to exploit the device and gets it back to BFU automatically.
The 2nd factor PIN is a UI level feature and there are only 5 attempts for fingerprint unlock for GrapheneOS right now (as opposed to 4 groups of 5 attempts with 30s delays between them for 20 in total). Failed 2nd factor PIN entry counting towards the 5 attempt limit. If it's a random 4 digit PIN, there isn't really much hope of brute forcing it in 5 attempts so it's not really relevant as it is with a primary unlock PIN where we recommend 6 random digits or higher. 2nd factor PIN with only 4 random digits is fine, especially since it's just a 2nd factor.