Feature idea: lock phone (disable biometrics) after x time

Canardo_Sanchez

I don't think I could give up on biometric practicality, unless if using a very simple pin, which is not ideal.

I love that I have the option to lock the phone quickly via power button menu, but it requires to be able to anticipate and act before "dangerous situations" which is not a given.

I won't dwelve into the multiple options and scenarios of defending a phone against an aggressive actor.. Everyone could agree that a phone set with biometric is simply less secure than just a pin overall.

Could it be possible then, to implement a feature that would - same as auto reboot - disable biometrics after x time since last unlock ? It would fill a somewhat uncomfortable gap in security and keep the phone user friendly imho.

Thanks for the read !

other8026

Canardo_Sanchez why not use the 2 factor fingerprint unlock feature?

Canardo_Sanchez

Thank you for the suggestion. I reckon it's hard for me to give up on straightforward/on the fly biometric unlock with one hand, even though the attached 2nd factor pin would be simple.. I'd rather switch automatically between ease of use and security as described.
Just my opinion, thanks for having made possible different options already.

N1b

Not sure what problem a timeout for biometrics would solve here:

You generally don't want to use (2nd factor) Pin but rather (just) fingerprint unlock
You mentioned the security feature of auto reboot already which would give on top of disabling fingerprint peace of mind with a bfu state phone
You also are aware of the shortcut to disable fingerprint unlock (the "lockdown" mode)

If you need to disable fingerprint unlock in dangerous situations, you need the shortcut. If that can't be done and you need an automated solution, the timer would probably need to be set so low that you couldn't use fingerprint unlock anyway in a reasonable matter, therefore you could just disable it entirely (or use 2nd factor pin which gives you the best of both worlds).

Please let us know what you are trying to protect against. I'm sure the devs would implement a useful solution to prevent a realistic threat, but in my experience they don't do half-baked features that solve no good purpose or could be bypassed easily... That's why we don't have timeout for camera/mic or hotspot VPN routing.

Canardo_Sanchez

That would simply be a "light" auto reboot of some sort. I still want to be able to recieve calls and messages.

Sometimes you lock/unlock your phone back and forth in a very short span of time, mostly with a single hand, biometric is very handy.

Rest of the time I'd like the assurance to know that my phone automatically switched to a more secure state.

Not much more to add, it seems to boils down to very personal preferences apparently.

de0u

Canardo_Sanchez I think maybe people are having trouble envisioning specific scenarios where value would be added.

What sort of timeout are you envisioning? One minute, two minutes...? How frequently are you currently locking the device? Once per minute?

What sort of "aggressive actor" are you imagining? Presumably it would be somebody who could force you to press your finger on the sensor... but not also force you to enter a PIN?

Of course you are not required to describe your situation in detail if you don't wish to. But lock-screen code is very complex and also risky to change. I suspect the developers would want a very clear and detailed case before changing that code.

Canardo_Sanchez

de0u the scenario would be to be forced to put your finger on the screen. You could cheese your way out by using the wrong finger (if you can) and lock the device, but that may add some unwanted tension to an already unpleasant situation.

I guess I would have a timer between 30min and 1hour, but having as much options as the auto reboot feature would be great.

My threat model is low and I live in a reasonably democratic country. That being said I have no doubt whatsoever that being at the wrong place at the wrong time could lead to such thing, either with some thugs or the police.

N1b thank you for your suggestions.

N1b

I'd also like to add that a very simple 2FA Pin such as 1234 would increase your security compared to no 2FA pin at all (which is the case on Pixel OS or most other AOSP based systems).. Not saying this is the way to go, just an idea to have a good compromise for now...

N1b

Canardo_Sanchez the scenario would be to be forced to put your finger on the screen.

So the threat actor would take the device from you and force your finger on the screen, all without you being able to activate lockdown mode or turn off the device beforehand. The threat actor would need to take your device by surprise or in less than a minute, as that is the longest it would take you to deactivate the fingerprint sensor (blindly turn off your phone by holding the power button).

Canardo_Sanchez I guess I would have a timer between 30min and 1hour, but having as much options as the auto reboot feature would be great.

For the scenario described this would be way too long, right? It should ideally be 10-60 seconds, or at least a shorter time than your regular unlocking frequency so there's a fair chance the threat actor doesn't have the option to use your finger. But then a fingerprint setup becomes useless to you in the first place.

A lockdown timer would therefore either do the same as deactivating fingerprint unlock (if set to a low enough value) or it would be very unreliable and shouldn't be considered.

I suggest you find a reliable solution that works for your threat model. The available features might be enough (blind shutdown, lockdown shortcut, duress pin, 2FA pin, auto reboot). If they are not, the solution would lie elsewhere than in an automated lockdown timer...

de0u

Canardo_Sanchez the scenario would be to be forced to put your finger on the screen. You could cheese your way out by using the wrong finger (if you can) and lock the device, but that may add some unwanted tension to an already unpleasant situation.

I guess I would have a timer between 30min and 1hour, but having as much options as the auto reboot feature would be great.

I am still not understanding.

The concern is somebody who could force your finger onto the sensor, but not force you to disclose or enter a PIN, but this person would wait 30 minutes for the timeout to expire before forcing your finger onto the sensor?

Canardo_Sanchez

Being intimidated into unlocking your phone is a negotiation, albeit a very unbalanced one, the aggressor still needs your compliance.

(Well actually he would need none if he is determined to push your finger on the screen).

In any case you want as few leverage (some would say attack surface) as possible and immovable goalposts, as every shift in an unbalanced negotiation might play against you. So having just a PIN is indeed the best option.

Against thug: hope the proposed biometric timer ran out, not perfect but still better than maybe biometric+pin.

Against police: if they are serious about looking into your phone they will detain you and see through it a bit later. The timer will work to your advantage.

All in all this would stem from the same idea that brought the two fact auth; biometric are super handy but not secure enough.

areaman

I think there may be some validity to the idea. This is around spending more time in a more secure state, intended to increase security on average, not solve every possible situation. I think it fits the pattern of auto reboot and auto disable of wifi and bluetooth. Biometric already does turn off after a timer, it's just quite long (can't remember, many hours to days), so it seems like the mechanism exists.

Sometimes, I unlock my phone a bunch in a short time. Maybe I am using the map, and check it every few minutes. Maybe I am multitasking, doing something on my phone, or messing with music while I clean the appartment, and I want it to unlock easily. Then later, I have my phone on me but am not using it that often and a 30 minute timer would easily expire. Maybe I am driving somewhere that I don't need the phone to navigate, and I get pulled over by law enforcement. I don't want to reach into my pocket and mess with something, because then I worry they think I am going for a gun. In the US at least, passwords are protected by the first amendment and can't be compelled, while biometric is not protected, so you can see why it would be a better default state.

de0u

areaman I think there may be some validity to the idea.

Indeed there may be, but, again, lock-screen code is very complex and also risky to change. My hunch is that "some validity to the idea" is below the bar.

To be concrete: even if this discussion resulted in several compelling detailed scenarios, my hunch is that any code for this would be at least six months in the future. This gives rise to an odd suggestion: maybe try the existing 2FA biometric+PIN code for a month. I realize that for people currently using just biometrics the biometric+PIN approach might seem as if it must be an impossible inconvenience. Indeed it would be some inconvenience. But it would also be a substantial security improvement. And after using it for a couple of weeks, many times per day, it might come to feel natural enough.

By comparison, so far it seems as if making the biometric timeout configurable would improve security only a bit, and would require a code change that is at least months away, and might never come.

Canardo_Sanchez

areaman Thank you for getting my point, I started to question my own logic haha.