Concerns about feature forcing user to use primary unlock method every 48 hours

matchboxbananasynergy

brook Of course, task priority should be up to the Team, but I'm glad that you kind of agreed that current upstream 48-hour timer can indeed be anti-feature, damaging security for some of us.

I would be more inclined to call it that and push for change if it wasn't so trivial to overcome (by entering it once per day or 1.5 days). You can argue that it feels silly to do that when you could just never have to input your primary unlock method outside of reboots, but I'm not sure I agree with that for the aforementioned reasons.

What I did agree with you and other people who are on your side on, though, is that people telling you that you should just postpone using your device and that this isn't a big deal is out of touch. People here can't possibly know what someone uses their device for and how important being able to access it at any given moment is.

brook

matchboxbananasynergy I would be more inclined to call it that and push for change if it wasn't so trivial to overcome (by entering it once per day or 1.5 days).

I kind of agree. I cannot judge what most people think about this workaround of entering password manually daily, maybe it's fine for some, but I can say about myself. I am not a lazy person, and yet I still doubt I would use this workaround, as entering the password even more often (instead of only when needed, like updates and reboots) is too much for me for some reason :(
Once again, I cannot say, if others are really fine with this workaround, or not.

brook

other8026 It makes sense that the primary unlock method be entered every once in a while, and 48 hours isn't an unreasonable amount of time.

I read your post, but did not find the logical explanation, why it make sense? What is the scenario exactly when it helps at all? Except reminding user the password that can be made in different manner, not lowering the security and giving the password away to cameras and people around.

other8026 There's also this claim that being "forced" to enter the primary unlock method in public is bad for the security of the device. No it isn't. The device is still quite secure, probably more so since fingerprints can't unlock the device. To say that the feature affects device security isn't at all accurate.

The security is affected in this logical chain:

User have to enter primary unlock password/pin in public due to this 48-h timer as you said.
User is showing to cameras and people the password or parts of it (even if moving in the shop or rotating in the bus).
User is motivated to have shorter and weaker password and pin because it is not easy to enter it correctly in many situations.

=> Passwords are leaked and passwords are shorter/weaker, all because of this 48-hour timer.
How come it is not affecting security then?

Also timer does not add any security at all, only reduces it, as I see it.

other8026

brook I read your post, but did not find the logical explanation, why it make sense?

It's the owner's primary unlock method. Entering it every once in a while proves the owner is still the one using the device. And 48 hours is not really that short of an amount of time.

brook The security is affected in this logical chain:

What I mean is the device by itself is still secure whether the timeout is there or not. In your example, the user does something that exposes the primary unlock method to the outside world. That's the device owner's doing, not the feature's.

In other words, would you still claim the feature makes the device less secure if the timer runs out when you're safe at home with no cameras around? I don't think so.

brook passwords are shorter/weaker, all because of this 48-hour timer.

Can you please share your source for this claim? I get the feeling that most people don't care or even think about it all that much.

brook at some point

That comment was posted less than two months ago. I can't imagine much has changed since then that would make anyone change their minds. Also remember the things that matchbox said about making downstream changes that have to then be maintained.

brook Because it's OK to reconsider things, to listen to the new arguments and change opinion.

I am not sure there are any new groundbreaking arguments that weren't considered in the first place. Either way, the forum is a better place to discuss these things.

brook I decided something once, I am never wrong, I will never reconsider.

Sorry, I don't mean to be rude, but after tons of posts going back and forth about this topic, I don't get the feeling you've considered the other side yourself.

brook I see no logical reasons for this 48-h timer not to be optional, in case user uses auto-reboot GrapheneOS shorter timer. But I see logical reasons to make it optional.

To be clear, I'm not someone who makes decisions for the project. That said...

I feel that only a very small number of people would appreciate a toggle, but I personally think it would be a waste of resources for the developers to go through the trouble of developing and maintaining such a toggle because it would only benefit a small number of users. Adding a toggle may be easy, or it may be much more difficult than you'd expect. Still, the pros don't outweigh the cons if you ask me.

brook

other8026 Again, there was already a request to remove the 48 hour timer and a developer said it's not going to be removed. I saw someone say that they were thinking about putting in a feature request in the issue tracker for this. I'd ask that you not waste the developers' time when you can already see an answer elsewhere in the issue tracker.

Thanks for the link. Another point I would like to make:

OK, similar proposal of making 48-hour timer optional was made and was rejected by Daniel at some point.
But I strongly disagree with the opinion that this matter should not mentioned or raised as a ticket again. Because it's OK to reconsider things, to listen to the new arguments and change opinion.

Otherwise it's a bad strategy: I decided something once, I am never wrong, I will never reconsider.

Please, reconsider, re-read the arguments.
I see no logical reasons for this 48-h timer not to be optional, in case user uses auto-reboot GrapheneOS shorter timer. But I see logical reasons to make it optional.

Blastoidea

Jesus Christ!

It is beyond my understanding how some can rail against a non-existent problem, while in possession of an easy solution.

brook

other8026 It's the owner's primary unlock method. Entering it every once in a while proves the owner is still the one using the device. And 48 hours is not really that short of an amount of time.

But it would make sense only if timer would be forced for any state of the phone. It would make certain that device would not be used by non-owner for longer than 48 hours.

But in reality the situation is DIFFERENT. The implementation from google is working only on LOCKED device. So, if the criminal or police get your device they would simply not allow it to get locked. There are very cheap special devices for that. So they would use the device for month without any issues and without owner.

Am I right? I can be wrong on this easily.

So, if I am right with this assumption, then what is the point of this timer if it does not prove the owner is still using the device as you said?

other8026 What I mean is the device by itself is still secure whether the timeout is there or not. In your example, the user does something that exposes the primary unlock method to the outside world. That's the device owner's doing, not the feature's.

OK, now I got your point. You are right, the correct statement from me would be: this timer does not affects security of the device, nor OS itself, but only user's security due to the process of using password being different when timer exists or not.

other8026 Can you please share your source for this claim? I get the feeling that most people don't care or even think about it all that much.

I have only 2 sources:

Own experience. I made password shorter, because it is not possible to enter it in some situations like running, riding, driving and etc. So, I have to use shorter passwords or pins instead of passwords ONLY because of this timer. I would love to have long password and enter it on reboot and updates, but I cannot.
Logic. I mean, it seem logical to me, that other people that have similar issue (who uses password on GrapheneOS) may choose the same bad path as I did.

other8026 That comment was posted less than two months ago. I can't imagine much has changed since then that would make anyone change their minds.

I read the link. The author was not providing the reasoning and arguments well enough, not as should (as I tried to do here).
So, I understand why it could be chosen not to implement something for one person, something that seemingly make device less secure. I do not blame Daniel for such decision in such situation.

other8026 Sorry, I don't mean to be rude, but after tons of posts going back and forth about this topic, I don't get the feeling you've considered the other side yourself.

Maybe you right, I should try better to consider counter-arguments.
On the other hand, I think I am open to such arguments. The problem is that most of arguments here were that:

I should enter the password daily and it's fine to avoid the issue instead of solving it (good workaround, but not exactly what I am asking for),
I should not worry about this too much and live different life,
I should not use phone in public places and unlock it in a different place.

All these arguments are not ones that I agree on. I understand them, take into consideration, but only first one makes sense (as a workaround), and still not enough.

other8026 Still, the pros don't outweigh the cons if you ask me.

Do you personally use password? Or rather long PIN? If you do, how do you personally mitigate this problem with a timer? Enter password in inappropriate situations, or really each morning reboot the phone or use password/PIN unlock manually?

I see no good options for all users, that's why I would expect this toggle to benefit a lot of people (if they are offered this toggle to be turned on for example).

other8026

brook So, if the criminal or police get your device they would simply not allow it to get locked.

True, and you're right.

brook it does not prove the owner is still using the device as you said?

Suppose the assumption is the owner will lock their device, but it's true that there may be cases where they fail to do so.

brook Own experience.
brook Logic. I mean, it seem logical to me, that other people that have similar issue (who uses password on GrapheneOS) may choose the same bad path as I did.

So a sample size of one person and your assumption that other people will act the same as you have because they have the same problems with the timeout as you?

I've been a pretty active member of the community for a while now, and I can't say I recall anyone ever caring about the timeout. I didn't even know it existed for the longest time because I restart my phone regularly.

brook The author was not providing the reasoning and arguments well enough

Well, they basically made the same point.

brook how do you personally mitigate this problem with a timer? Enter password in inappropriate situations, or really each morning reboot the phone or use password/PIN unlock manually?

I either restart my phone before bed or auto reboot does it for me. Unlike you, I don't need to be able to receive calls while asleep.

brook

other8026 Suppose the assumption is the owner will lock their device, but it's true that there may be cases where they fail to do so.

I am talking about locked device that you are forced or tricked to open with fingerprint. Or fingerprint being cracked as an easier thing to crack compared to 50 chars password.

In this case GrapheneOS's auto-reboot timeout (e.g. 10h) can help, if fingerprint unlocking would be possible to avoid for the first 10 hours. While 48h timer would not help at all, because it's a magic number 48h (unchangeable) and too big to help, so I still cannot get the scenario when it would actually help instead of causing problems.

In case of device being unlocked on retrieving, both GrapheneOS and 48h timer are both useless, as device would not ever be locked again for months.

So, both cases, this 48h timer would not help at all.

other8026 So a sample size of one person and your assumption that other people will act the same as you have because they have the same problems with the timeout as you?

Yes. I have no survey results or anything bigger.

On the other hand, the only password/Pin users that are not affected by this problem are ones that reboot device often (like daily). I do not know how many people do that (like you do).
All other suffer in one way or another due to the 48h timer, even if they do not call it suffering.

other8026 Well, they basically made the same point.

Yeah, but not convincingly and with different angle. Well, I still have hope this problem and whole 48h timer approach would be reconsidered.

other8026 I either restart my phone before bed or auto reboot does it for me.

Well, so you are OK with entering long passwords daily. But probably for different reason: to keep device offline and BFU, not because some 48h timer wants you to.

faxe

brook Wow, custom "weird" unlocking keyboard is a big deal, a lot of effort, interesting.

Yeah it's also not something I'd recommend for the majority of threat models since it's quite extreme and (gladly) never really has been of value for me (yet), but it's a precaution I use on my secondary "work device" which I only take outside if I really have to since that's the device that usually carries sensitive data.

lynatic

Hmm from what I see being posted by the devs most of the time, they seem to be pretty busy with the A16 porting situation + their lead being drafted into military. I can very much understand why they don't view this as a priority in the near future.

Still, could you please consider adding this suggestion (add a toggle to disable the 48h timeout) to the "feature suggestions for better times when we have more resources"-list instead of outright dismissing it? I just don't see anything fundamentally wrong with this suggestion. Imo this undermines the 2FA unlocks "anti-shouldersurfing"-concept enough to be generally relevant to GrapheneOS, not AOSP. This interferes with a Graphene feature that is not present in AOSP, so Google will probably never do anything about it (unless they upstream the 2FA unlock lol).

Alternatively, at least warn the 2FA users about it in the documentation so they don't get caught by it off-guard.

brook

lynatic Still, could you please consider adding this suggestion (add a toggle to disable the 48h timeout) to the "feature suggestions for better times when we have more resources"-list instead of outright dismissing it? I just don't see anything fundamentally wrong with this suggestion.

lynatic Imo this undermines the 2FA unlocks "anti-shouldersurfing"-concept enough to be generally relevant to GrapheneOS, not AOSP. This interferes with a Graphene feature that is not present in AOSP, so Google will probably never do anything about it (unless they upstream the 2FA unlock lol).

I cannot agree more with these 2 points, I support them completely.

yore I don't think it's fair for anyone to be called out here but Google as I believe they're the ones behind this feature so if you really want this removed, my best bet is that Google/AOSP developers are the right people to contact.

There are several reasons why it should be better addressed in GrapheneOS and not Google Android (upstream):

GrapheneOS has its own timer that is not present in Google Android. This timer works way better than upstream 48-h timer. So, while this 48-h timer adds some minor security to upstream Android, it does not add anything to GrapheneOS, only add problems with unlocking safely and securely.
Google Android does not care about encryption security. It took years for them to increase password limit from 8 (!!!) to 16 chars. And now it's only 16 max for many years, too. Kind of ridiculous. So, they are not going to do anything because of users' problems, unless upper-management puts such task to them. GrapheneOS on the other hand cares about security, lock authentication and encryption, and users. It increased the hard-coded password length by a lot.
Google Android is targeting different audience, some people are not liking options and toggles. In GrapheneOS user can customize a lot with additional (not-upstream) toggles and I find it great, it's way better than hard-coded ugliness like 8 char password limit or 48-hours for unavoidable and not-customizable timer from upstream that most users have to get used to.

grayway2

It's now ridiculous. This is really an unnecessary feature. The thread should be closed.

lynatic

grayway2 man if you just want to be a negative nancy without providing constructive criticism, please vent on Twitter

privacyisconsent

faxe I secure my phone with a 8 word diceware passphrase and use fingerprint + 2FA PIN for convenience. I use a privacy screen protector and pin scrambling to ensure shoulder surfing is less of a problem when unlocking my device in public

Would you mind sharing the privacy screen protector provider you are using? Also, is this with a 9th generation Pixel?

faxe

privacyisconsent I don't really remember, I just took a random one that was decent looking while still being affordable on amazon and it's a Pixel 6.

RockHyrax

privacyisconsent I have been using Spigen Tempered Glass Screen Protector GlasTR EZ FIT since I unboxed my phone. No complaints aside from it makes your screen a tad bit darker so I find myself manually adjusting the screen brightness a lot in dark settings.

privacyisconsent

RockHyrax

In your experience, does it work with fingerprint unlock?

yore

While I personally don't find the 48-hour timer to be an issue for me at all, I can sort of see where you're getting at.

Now I can't speak on behalf of anyone, but even if this issue was raised again, keep in mind the project is already preparing for the release of Android 16 and they have higher priority work to focus on. Things have further become difficult with one of the key developers' unavailability due to being drafted into a war.

The project account even announced they will need to remove certain features to quicken the release, as every change/deviation from the AOSP code is an extra task requiring maintenance and more testing. Even a seemingly small change can have far-reaching effects that need to be properly studied before anything could even be considered.

We have to remind ourselves GrapheneOS is a non-profit and the developers have previously worked overtime for us users. I don't think it's fair for anyone to be called out here but Google as I believe they're the ones behind this feature so if you really want this removed, my best bet is that Google/AOSP developers are the right people to contact.

RockHyrax

privacyisconsent yes. it reads it almost as if I do not have a screen protector on

« Previous Page Next Page »