2-factor fingerprint unlock feature is now fully implemented

GrapheneOS

or when you tapped 3 times with the wrong finger on the fingerprint scan, etc.

It prompts for it after 3 failures but you get 5 failures in total, and we can make this configurable.

You can extend the 48 hours after last successful primary unlock by doing primary unlock again.

Wouldn't it be more secure to have a general/whollistic two factor approach, where you always have to use both factors to login/unlock etc.?

No, that would regularly result in data loss. Biometrics aren't reliable enough to be used for primary unlock. The intention is also that people use a strong passphrase for primary unlock when using this feature.

DeletedUser313

GrapheneOS _

Is there a fingerprint-only mode that can only be disabled by 5 wrong attempts and nothing else like a reboot or even a 72 hour period like some OSes? It's true that biometrics can be more easily bypassed by forcing someone to press their finger against the sensor, but I think in everyday life shoulder surfers and cameras/reflection hacking is a greater risk. I still haven't got a Pixel so I can't test for myself

The source code mentions a fallback period of 72 hours before a primary authentication method is required to unlock your device.

^ I found this from another source about phones needing a password and preventing biometric unlock after a certain period of time.

User72848

@GrapheneOS

I just read everything, thank you for developing the new features. I do have a question:

Assuming the secure element is exploited and the fingerprint is acquired (AFU, within 48 hours), are they only limited to bruteforcing the primary passphrase or can they bruteforce the second factor PIN to complete the unlock?

GrapheneOS

User72848

AFU, within 48 hours

Our locked device auto-reboot feature defaults to 18 hours on GrapheneOS and can be lowered further. The device will be BFU before reaching that.

If they successfully exploit the device and it's AFU, they get nearly all the data. No need for brute forcing. GrapheneOS makes it very hard to exploit the device and gets it back to BFU automatically.

The 2nd factor PIN is a UI level feature and there are only 5 attempts for fingerprint unlock for GrapheneOS right now (as opposed to 4 groups of 5 attempts with 30s delays between them for 20 in total). Failed 2nd factor PIN entry counting towards the 5 attempt limit. If it's a random 4 digit PIN, there isn't really much hope of brute forcing it in 5 attempts so it's not really relevant as it is with a primary unlock PIN where we recommend 6 random digits or higher. 2nd factor PIN with only 4 random digits is fine, especially since it's just a 2nd factor.

User72848

GrapheneOS Thanks. If I'm understanding correctly, does that mean:

If the USBC port is somehow switched to On, the 2nd factor PIN doesn't do anything to stop the attacker from getting all the data?

raccoondad

DeletedUser313 Is there a fingerprint-only mode that can only be disabled by 5 wrong attempts and nothing else like a reboot or even a 72 hour period like some OSes?

No, because that's security theater

GrapheneOS

DeletedUser313 The purpose of the 2-factor unlock feature is adding a PIN as a 2nd factor to the regular fingerprint unlock feature. It doesn't change it beyond adding a PIN. You seem to be describing using the regular fingerprint unlock feature without a PIN, which you can do on GrapheneOS. The whole point of this feature is providing a more secure approach where you can have fingerprint+PIN with something like a 4 digit PIN as a convenient way to unlock combined with a strong primary unlock method like 6 diceware words. If you simply want to use a random 6 digit PIN as your primary unlock method and fingerprint-only unlock as a secondary method, that's a standard Android approach not requiring anything special.

DeletedUser313

raccoondad

Security theatre? It has actual uses

DeletedUser343

How do I use this feature?

GrapheneOS

DeletedUser343 Enable fingerprint unlock as a secondary unlock method and then add a 2nd factor PIN to it. You can still unlock with your primary unlock method as usual and are required to do so for Before First Unlock or after the timeout / attempt limit is hit for fingerprint unlock. The feature adds the option to set a 2nd factor PIN for fingerprint unlock, that's all.

DeletedUser313

GrapheneOS

Yes but some OSes revert to password unlock after a couple of days despite having fingerprints registered. I was wondering if GrapheneOS has a fingerprint-only mode that does not revert to other forms of unlocking

Now though, out of nowhere, at totally random times, I go to unlock my phone and before I even get a chance to irritate the fingerprint sensor into quitting, there's a message saying "Please enter your password to log in, in accordance with the security policy" or something similar enough that my paraphrase might as well be verbatim. When this is on the lock screen, there is no option for biometric unlocking available whatsoever.

This quote is from a Samsung user, I haven't gotten a Pixel phone so I can't test it for myself so I'm asking here if a fingerprint only mode exists. This way no one would be made to enter the password at inconvenient times with shoulder surfers and reflection hackers around

KleinesSinchen

DeletedUser313 This way no one would be made to enter the password at inconvenient times with shoulder surfers and reflection hackers around

The primary unlock method (pin/password) is needed after two (or three?) days. If you use the primary unlock method in the morning, you can be sure to not get asked for it during the day with shoulder surfers around.

After a reboot you will always need primary unlock as the fingerprint is not used (or usable) for decryption. Ending the session for a secondary user profile has the same effect for said profile as the reboot for the owner profile.

« Previous Page