• Announcements
  • 2-factor fingerprint unlock feature is now fully implemented

r_dac

Are you using always-on display?

Are you disabling animations via either Accessibility or Developer options?

We've found an upstream bug in the Android lockscreen implementation which may explain what you've seen.

    GrapheneOS

    Yes to both. I have always-on-display and animations disabled via Accessibility menu.

    Turning the animations back on changed the always-on-display behaviour I described above. It now shows the fingerprint icon and 2FA PIN appears as expected.

    Looks like we found the issue.

      r_dac Disabling animations breaks always-on display in a strange way. The upstream biometric handling code ends up thinking the device isn't locked and the UI doesn't display properly. After a fingerprint is used, it thinks it was already unlocked and skips a bunch of the code for handling unlocking including our 2-factor authentication feature. This is a serious upstream bug we'll need to figure out how to resolve. We can implement a temporary workaround for it today.

      Right on! Nice work again. It's a great feature.

      I wonder, if Graphene devs hadn't implemented the 2FA PIN feature, maybe this upstream AOSP bug would have gone unnoticed for longer than it has, because the standard fingerprint option on its own was still seemingly working fine, even with the display issue on the always-on-display caused by killing animations.

        r_dac Thanks r_DAC for sticking with it, testing, and reporting. Makes it better for everyone 👏

        As always, thanks to GOS team for all you do!

        This is the fix for the upstream lockscreen bug which impacted more than 2-factor fingerprint unlock but we haven't identified any actual lockscreen bypass with it:

        https://github.com/GrapheneOS/platform_frameworks_base/commit/9fc824bd0271e79ea56f84a332bfd1bcdceb32c9

        They had code unnecessarily fetching the animation scale as a string and comparing it to "0" so it broke when they changed it from an integer to a floating point number where the string is "0.0". It's a very silly issue.

        Since this is overly fragile, we added a defensive measure to protect against similar issues:

        https://github.com/GrapheneOS/platform_frameworks_base/commit/4810ab5ca9f63276cc6c8c75643b13df80782e50

        10 days later
        • Edited

        GrapheneOS The limit on failed fingerprint unlock attempts in GrapheneOS is 5...

        I have now tried it several times. The password prompt appears always after the third failed attempt.

        I think it's good and would also prefer one attempt to restrict the use of force to unlock the system, which is increasingly being used by state authorities even in so-called constitutional states (when use without 2-factor).

        But I definitely want to understand my system very clearly. Why 3 instead of 5 for me?

          • Edited

          asd after 3 failed attempts it asks you for the password, but you can still just hit the back button/gesture and try again with fingerprint. After 5 failed attempts you have to type the password and can't use fingerprint.

          • asd likes this.

          asd That's the standard Android behavior. After 3 attempts, it shows the prompt. After 5, it does the initial lockout which is the permanent lockout on GrapheneOS since we only permit 5. Standard Android permits 20 in total with 30 second delays between each 5. The reason for showing the prompt after 3 is to reduce it getting locked out by accident.

          10 days later

          GrapheneOS
          OK, this is a nice feature, stopping someone from spying on my primary PIN. Thank you for that.
          But, wouldn't it be better to have a whollistic two factor authentication approach. Currently you have to enter your primary PIN after phone restart or when you tapped 3 times with the wrong finger on the fingerprint scan, etc.

          Wouldn't it be more secure to have a general/whollistic two factor approach, where you always have to use both factors to login/unlock etc.?
          Do you plan to implement such a feature?

            GrapheneOS Any idea when this might get fixed, or is it just wait and see?

            noradx

            or when you tapped 3 times with the wrong finger on the fingerprint scan, etc.

            It prompts for it after 3 failures but you get 5 failures in total, and we can make this configurable.

            You can extend the 48 hours after last successful primary unlock by doing primary unlock again.

            Wouldn't it be more secure to have a general/whollistic two factor approach, where you always have to use both factors to login/unlock etc.?

            No, that would regularly result in data loss. Biometrics aren't reliable enough to be used for primary unlock. The intention is also that people use a strong passphrase for primary unlock when using this feature.