According to GOS, what is the best unlocking method for combating forcible entry?
PIN without fingerprint or password + fingerprint and 2FA
Unless both methods are good?
2-factor fingerprint unlock feature is now fully implemented
What you're describing isn't at all normal unless you're using a screen protector. If you have a screen protector, that's the problem.
Don't register it multiple times. Delete the existing ones, register it once and use it repeatedly after the initial registration while moving around your finger to help train it better. Using it more will train it better. Having it registered multiple times will mean only one gets selected and updated each time you unlock which will make it much worse in the long run. It's a short term hack making it worse in the long run.
We plan to make the attempt limit configurable but your experience doesn't match the experience of the vast majority of users without screen protectors. Screen protectors are a huge issue for fingerprint unlock, particularly optical and particularly if they're those privacy screen protectors reducing viewing angle.
Stewart A strong diceware passphrase with 2-factor fingerprint+PIN secondary unlock using a random PIN is far better than the same random PIN as a primary unlock method. That's the whole point of the 2nd factor PIN feature. It allows using a strong passphrase with more convenience via the secondary unlock method. Fingerprint+PIN is also better than a PIN by itself too even only when considering the device in After First Unlock state where secondary unlock hasn't been locked out. Our original post explains all this and why: GrapheneOS.
GrapheneOS Okay, thanks for the feedback, I've only been using the PIN until now, I'm going to switch to passphrase + fingerprint and PIN.
Hi everyone,
I appreciate the effort in enhancing security with the 2-Factor Fingerprint Unlock feature in GrapheneOS. However, I believe it could strike a better balance between usability and security by requiring the Second Factor PIN conditionally.
For instance, the system could:
- Allow regular fingerprint unlocking during normal use.
- Trigger the Second Factor PIN after a configurable number of failed fingerprint attempts.
- Continue requiring the primary passphrase in critical situations.
This approach protects against biometric spoofing and coercion while reducing the inconvenience of entering a PIN. It also makes the feature more adaptable to different user threat models.
I’d love to hear your thoughts! Is this something the team could consider for a future update?
Thanks again for your hard work on GrapheneOS!
peroxide7881
I don't like this idea.
I believe Fingerprint unlock is insecure as you leave your fingerprint everywhere you go which allows any motivated attacker the chance to clone the fingerprint and subsequently bypass the lockscreen.
Is it possible to have a 6+ digit second factor PIN confirm automatically? I believe it's possible with a normal 6+ digit PIN, so is this functionality simply not implemented or can I just not find it?
Thank you for developing this feature.
I probably won't use this feature on a daily basis as I don't need it currently for my threat model.
However, I would like to use this feature for biometric unlock inside apps, e.g. fingerprint can unlock the device, but for unlocking e.g. KeepassDX or Aegis (if enabled), fingerprint and PIN is required.
Would this even make sense and can be implemented in a secure way?
yellow-leaves I would be very interested in seeing how easy or difficult this to literally clone a fingerprint on a pixel 8 fingerprint scanner, I don't think it's that likely. I think it would be more likely that you are forced into using your fingerprint.
A good solution would be to have, after five or three wrong fingerprints, then have the pin code kick in with duress pass on.
But I am genuinely interested. Is it easy to copy a fingerprint and use that on the phone?
peroxide7881
Was a famous demonstration years ago, reconstructing the print from photographs taken at a press conference, to prove the point to the German defence minister
https://www.forbes.com/sites/paulmonckton/2014/12/30/hacker-clones-fingerprint-from-photograph/
peroxide7881 This would entirely defeat the purpose of the feature. You can already use regular fingerprint unlock with the usual limit of 5 failed attempts.
- Edited
Carlos-Anso
Thanks for sharing that article, Carlos! It's fascinating to learn about the potential of fingerprint cloning, although it sounds like it's not quite as simple as it might seem.
This made me look up what sensor the Pixel 8 and older models use, and it turns out to be optical fingerprint sensors. These don't have the same liveness detection or 3D imaging capabilities as the ultrasonic sensors found in the Pixel 9. This means that they're theoretically more vulnerable to spoofing attacks using high-quality replicas.
So I guess that while cloning a fingerprint from a photo is possible, it's very difficult and would only be important for super high threat model individuals. Correct me if wrong.
Thanks for the response! I understand your point about the 5 failed attempt limit, but in practice (as a GOS user myself), you can do 3 failed attempts, press the standby button, and then do another 3 failed attempts before the device forces you to use your PIN or passphrase.
This effectively allows 6 failed attempts in total, which has been the existing behavior in GrapheneOS. My suggestion is that the new 2FA PIN feature could be enhanced by making it configurable as a fallback after a cumulative number of failed attempts (e.g., after 3). This would allow users with lower threat models to avoid having to always use both fingerprint and the 2FA PIN for every unlock, while still maintaining robust security protections. And those who wish to always have the 2FA PIN could still do that.
Would love to hear thoughts on whether this could be implemented as part of the new 2FA system or what your views on that are. I do not see it defeating the purpose entirely as you describe it.
- Edited
peroxide7881 So I guess that while cloning a fingerprint from a photo is possible, it's very difficult and would only be important for super high threat model individuals
You also leave your fingerprints all over everything you touch.
People 3d print fingerprints to fool sensors. I presume it would be possible to select print materials that would work with any type of sensors. With a bit of practice likely to be quick, easy and cheap to create a fingerprint.
Its the reason a lot of people with higher threat models avoid using fingerprint unlock and another reason 2F fingerprint/PIN unlock is valuable.
Carlos-Anso I definitely agree with you that this feature is valuable! There is no debating that.
I was merely suggesting another middle ground option for those who have a lower threat model that could be implemented within this new feature. :)
Can we have the PIN confirm auto?
0289380427 +1 for auto PIN confirm. The numpad opens only after a successful finger print read.
Been using this feature for the past week, love it GrapheneOS team, thank you!
0289380427 If I correctly understand "PIN confirm auto", I'd guess it would weaken the security of the PIN. Forcing the entry of "end of line" seems much more exacting.
Please don't do this.
(I suppose the auto PIN confirm could be made a configurable option - at the cost of complexity)
I think there is a bug with the 2fa when I end the secondary profile session and the owner profile lockscreen shows first a fingerprint icon but it doesn't respond to touch. It does that every time I switch back to owner profile. I have to turn the screen off and on first and then it asks for a password. P7 2024123000 stable