Use a long password after boot but a shorter PIN for unlocking screen

DnniRY

The phone boots maybe once a day, but unlocking the screen is comparatively frequent.

What if I use a long password for "Owner" and a short PIN for a secondary user
"MainUserProfile"? Suppose I log into the latter after boot and use it throughout the day.

If a person has access to the raw data in the phone (bypassing the OS) and they know the hardware keys, can they decrypt the data for "MainUserProfile" without knowing the longer "Owner" password (assuming they are able to guess the short PIN for "MainUserProfile")?

DeletedUser202

A solution to your problem?

https://discuss.grapheneos.org/d/18585-2-factor-fingerprint-unlock-feature-is-now-fully-implemented

DnniRY

It seems like that might be useful. As I understand, the post says that one would only have to type the long password once every 48 hours, and in between one can use PIN+fingerprint. Actually, if I understand correctly, it seems to say the preceding sentence currently applies if "PIN+fingerprint" is replaced with "fingerprint" only ("The usual restrictions on fingerprint unlock still apply. It's a secondary unlock mechanism only usable for 48 hours after the last primary unlock"), i.e., the only thing that is new is the 2-factor with PIN (if I understand correctly). In that case, I would not have to wait for the new version of GrapheneOS to be released. (Presumably one would also have to type the password after reboot, even if less than 48 hours?)

But I wonder if anyone can answer the question I posed in the last paragraph of my original post: Suppose that a person has offline brute-force access to the internal storage (so there is no throttling of attempts). My question is: Does a strong password for the special Owner user provide any level of protection for secondary user profiles on the phone? Is the encryption nested, or if not nested, does the key derivation for the secondary user profiles depend on knowing the password of the special Owner user?

In other words, if I set the protection for the secondary user to None, or if I publish my fingerprint and PIN on the Internet, is a person who is able to bypass the OS able to read the data in the secondary user account, or do they need to also know the Owner's password in order to decrypt the secondary user account?

I note that after reboot I am not allowed to switch to a secondary user unless I type the Owner password first. But is this merely enforced by the OS, or is it enforced cryptographically? I.e., can a person that has bypassed the OS and the "secure element" and has the hardware keys and all that, access a secondary user profile's data without needing to provide (or guess) the Owner password like I have to?

de0u

DnniRY Does a strong password for the special Owner user provide any level of protection for secondary user profiles on the phone? Is the encryption nested, or if not nested, does the key derivation for the secondary user profiles depend on knowing the password of the special Owner user?

The encryption is not nested and the key derivation is not dependent. If one wishes to protect the contents of a secondary profile against an adversary able to access the raw flash storage, the secondary profile's PIN/passphrase must be strong.

DnniRY

de0u

Thanks, that answers my question. I will use a good password/PIN for both profiles and use secondary fingerprint method to unlock the screen between reboots. The fingerprint method is a bit janky for me but I think it might get better if I change my screen protector. (I wish we could use PIN only as secondary unlock method, but alas it is not possible.)

DeletedUser202

DnniRY The fingerprint method is a bit janky for me but I think it might get better if I change my screen protector.

Have you enabled Settings > Display > Increase touch sensitivity ? It might also help to redo the fingerprints with the screen protector on. And if I remember correctly, adding the same finger more than once also makes it more unreliable.

DnniRY

DeletedUser202

I did try the setting you mentioned, and it might have increased the success rate slightly, but it's still less than 50%. I had the screen protector on the first time I booted the phone, so I've never used it with it off.

I think it is just finicky for some people. Maybe it has to do with genetics. Some people say it works every time, even with a screen protector, but lots of people complain about it not working, even if with no screen protector. Some people suggest trying various things, like licking your finger (seems unhygienic), or doing something different in the setup process. But some people say it doesn't work reliably no matter what tricks they try.

https://www.reddit.com/r/GooglePixel/comments/1hdngbo/pixel_8a_fingerprint_reader_is_so_fxxd/
https://www.reddit.com/r/GooglePixel/comments/176tp4h/the_pixel_8_pro_fingerprint_reader_is_as_bad_as/
https://www.reddit.com/r/pixel_phones/comments/1el3o1r/8a_fingerprint_reader_is_garbage/

I think I will just go with a 6-digit PIN. I like the idea of using a diceware password, but it is too time-consuming to type it every time the screen locks, and I think the fingerprint method for secondary screen unlocking is not consistent enough for my preference (based on all the people complaining about it on the Internet). It usually fails and I end up having to type the password anyway.

Personally I would prefer PIN-only for secondary unlock method (this is similar to how on a Linux computer you can use two separate passwords for encryption and sudo; they don't have to be the same). But fingerprint unlock might be usable if the option is added to increase the number of attempts. In the current version of GrapheneOS, there does not seem to be any option to change the number of attempts (it seems to allow no more than 3 attempts or something like that). So I might try it again in the next version, when the option is added to increase the number of attempts. I think I can almost get there in 3 attempts: sometimes it will go through on the 3rd attempt. So if I could increase it to 10 or 20 attempts, it might be consistent enough to be usable.

DnniRY

An update: I've been able to get closer to a 100% success rate with the fingerprint scanner. I'm not sure what changed. Maybe it was a skill issue. Maybe over time I got better at planting my thumb in the particular way that it wants me to. (I also added 3 copies of my thumb, which I know you're not supposed to do but I just wanted to improve the success rate, and it seemed to help.)

The only bad thing is that whenever I switch back and forth between owner and secondary profiles, I have to type my password again, even if I didn't click "close session" (and anyways Owner never closes unless rebooted). Maybe it is for security purposes, but it makes it slower to switch to Owner to make a change of networking settings as mentioned here:
https://discuss.grapheneos.org/d/9293-turn-mobile-data-onoff-in-secondary-user