• GeneralSolved

  • Asking for profile passwords randomly is no longer a good security practice?

  • Bbeta

    • Post #1

    This is not just grapheneOS specific but happens on other devices/cards as well. Your biometric unlock for a profile keeps working to unlock your profile until at some point it just asks you to enter the password in order to "secure you" or "protect you" or whatever phrasing is used. Same can be seen in contactless payment via say a debit card - every sometime it'll just ask you to use chip and pin to authenticate.

    The frequency might be temporal (like every once in a day/2days etc) or usage related (after every 10 biometric unlocks ask for a password) or ....

    I can understand this is a security feature (which is why it's seen in a wide variety of devices). However as times have evolved and most places have CCTVs and many/most of these in the future will have AI processing the footage, I think the security/privacy practices must also evolve.

    GrapheneOS for eg has asked me for my passwords suddenly when I'm in a supermarket for eg. and I find myself uncomfortable entering it when there're so many cameras all over. You almost feel publicly naked (privacy wise) at that point, like typing in some password in plaintext on a giant public screen. Whether someone is interested in your password is I think moot (I'm happy to acknowledge that I'm too unimportant for someone/cctv-room to take interest in my passwords as I type them, but the point stands).

    When something like that happens, I just defer using my phone till I'm out of such places (unfortunately can't do that for debit/credit cards when they eventually ask for PINs because, well, I need to pay somehow and I don't carry cash).

    I don't know of a better solution but I'm not a smart chap, so was wondering if anyone has thought about this and can think/implement a better solution for GrapheneOS? Currently I just make it a point to enter the passwords to all my profile every morning before I leave the house so it resets the frequency counter, but I sometimes forget and get stung by it anyway.

    Maybe a reminder/popup that you'll need to enter the password soon so do it now to reset the counter? Maybe an ability to defer it by some number of times - like max you can defer and continue using biometrics is by 2 or 3 or whatever number (maybe configurable so user takes the responsibility)?

      If I recall, it works on a time interval on Android, which applies to GrapheneOS, too.

      Using your password manually when you are at home so that it doesn't prompt you for a password is the intended use method, but I agree that it would benefit from more user control. Personally I despise this feature from the bottom of my heart and would prefer disabling the prompt. It would be good to be able to disable it, perhaps with warnings about the security implications and a confirmation dialog before actually changing it. The notifications before it happens would also be quite helpful.

      Just restart your phone once a day before you leave home. You need to enter your password once every 48 hours.

      It's both a security and user training tool. Security in that it relatively quickly forces a PIN unlock into the more secure password. User training in that requiring regular use of the password makes people forgetting their password less likely.

        JollyRancher Sorry but I think that's terrible! That's just asking for auth fatigue. Imagine having a handful of profiles and each with password manager and so on. Restarting means you need to not only log into each one of them everyday but also log into your password managers on each one of them and so on. The OP is better off just doing pre-emptive password auths once a day into their profiles (and that can be staggered too because all the apps in all the profiles are online anyway) like they mention. At-least that way one is not redoing other logins like into password managers and other apps that need to be re-opened/re-logged-into after the phone restarts.

        And when even that is a terrible user experience as evidenced by the first two posts (and add mine to the list), the suggestion to do a total restart is obviously worse. The point is there should be freedom of choice. If someone finds once a day restarts palatable, more power to them. If someone doesn't then give them the choice to have it setup simpler. Restarts happen quite frequently with graphene os anyway because of frequent updates. Some of us might not just have pins but proper passwords to type in, which makes frequent restarts more painful.

          I think Graphene should add a setting which allows you to change the text size on the pin/keypad. If that is combined with a randomized layout then many issues with CCTV/shoulder surfing could be eliminated. If the text is small enough even very high res CCTV cameras or close shoulder surfers with slow motion video cameras won't be able to reliably extract your key. Should be just small enough to see with the phone close to your face.

            DollyRags Yeah that could be one possible improvement. However the ability to just defer it by a max num of times as suggested earlier is better still. And the option to totally switch this "feature" off is even better, also suggested earlier in the thread. Keep it on by default and have folks explicitly opt-into turning it off if needed. I certainly don't want to be typing in passwords to profiles every 48hrs or whatever and that too at inopportune times/locations. Some airports have a pretty good CCTV for that matter and they are improving all the time. I take the responsibility of what happens if I haven't typed in my passwords for a long time and have forgotten them, just like I take it for insuring/not-insuring my life/house or any other decision in my life which is not legally binding on me to do or not-do it.

              beta

              Asking for profile passwords randomly is no longer a good security practice?

              There's nothing random or arbitrary about it. Primary unlock allows secondary unlock to be used for 48 hours or until the attempt limit for secondary unlock is reached. It's your choice if you want to wait until the end of that 48 hours before starting the timer again by using primary unlock. If you used primary unlock once per day in the morning, you would never hit the 48 hour timer. Part of why this is needed is to avoid people going weeks without using their primary lock method and forgetting it. We already see people forgetting their lock methods and needing to wipe on a regular basis, although it usually happens after people set a new one but don't properly memorize it initially or they made the same typo twice in a row when setting it up.

                JollyRancher There's no need to restart the device. It's a 48 hour timer started with successful usage of the primary lock method.