Concerns about feature forcing user to use primary unlock method every 48 hours

JollyRancher

Or restart your device every day. Persistence is really hard on Android, so turning it off and back on is generally a pretty good security practice.

Do so every morning and you should never hit the timer.

DeletedUser313

JollyRancher

What do you mean by persistence?

I also wish there could be a workaround or a way to toggle password mode AFU manually instead

JollyRancher

DeletedUser313
An exploit that can persist beyond a reset.

Say you get infected with malware. Most of it can't worm its way deep enough into the system to remain active through a power cycle.

KleinesSinchen

brook Who on years would limit user's passwords to 8 or 16 chars?

Yeah, what is it with the 16 char limitation!? I've tried changing this with TestDPC on a non-GrapheneOS device… but it failed.

brook

Maybe some combination with power/volume buttons should be making the password entering forced (not possible on GrapheneOS, but possible on iphone?).

You can press the wrong finger on the sensor five times to disable secondary unlock.

brook

matchboxbananasynergy But it's not random, it's on a timer. I believe it's 48 hours.

Well, it should not happen at all. I will not forget the password, if I do, it would be my problem to get it back. Some google-incompetent guy should not decide for me and force me entering password in crowds or under dozen of cameras.
Your idea of entering it everyday to avoid this dumb timer to me looks too unpleasant. Thanks for idea, though.

KleinesSinchen Yeah, what is it with the 16 char limitation!?

Some google developer of android changed it to 16 chars like 5 years ago, saying that 16 chars SHOULD BE ENOUGH FOR EVERYBODY.
Previously it was 8 chars max for years. I think this whole situation is insane.

KleinesSinchen You can press the wrong finger on the sensor five times to disable secondary unlock.

I though about it, but five times is too much for being extorted. Better if user were able to use different finger once, and this finger would be recognized as lock-phone-now signal.

Once again, I see NO REASON to force entering password using timer that is not based on the last unlock. It's ridiculous and insecure due to the problems I presented in the first post.
Why not a timer from the last unlock? Not unlocked in X hours, requires password.

raccoondad

brook Well, it should not happen at all.

Its not secure, not only could you forget the password, the fingerprint authentication method is much less secure than the password.

Its also always required after reboot anyways, 48 hours is enough time to use your password once.

The solved label is there because they aren't going to remove the timer

KleinesSinchen

brook Why not a timer from the last unlock? Not unlocked in X hours, requires password.

That already exists in the form of auto-reboot.

The problem of biometrics being disallowed in the wrong moment is indeed solved by entering the passphrase once every morning. I've never encountered the 48h timer but once when testing (avoiding passphrase on purpose).

Forcing passphrase can be done by reboot/poweroff (press power a few seconds, tap reboot – or long press power).

brook

@matchboxbananasynergy can you please remove Solved label? It is not solved, I can tell for sure.

brook

raccoondad Its not secure, not only could you forget the password, the fingerprint authentication method is much less secure than the password.

Why is it not secure? Forgetting password should not be a reason, never.
And about firgerprint - is it secure to enter your PIN/password in the full bus of people? Or under camera? How can figerprint unlock in such situations be less secure?

If I want phone to be unlocked forcefully only using password, I would press the lock button manually. Random or semi-random request only provide problems, and make people use very short passwords and trivial PINs.

brook

raccoondad Its also always required after reboot

That is obvious and cannot be avoided, because the data is encrypted and at rest. Why would you mention it?

Open_Source_Enjoyer

matchboxbananasynergy But it's not random, it's on a timer. I believe it's 48 hours.

Therefore, all you have to do to avoid it is to enter your primary unlock method once a day, such as when you wake up or before you go to sleep, or whenever you get some time during the day, and you avoid being prompted to enter your primary unlock method at an inopportune moment.

Thank for the tipp, I think knowing this solves the problem.

raccoondad the fingerprint authentication method is much less secure than the password.

This can't be made as a general statement.
In scenarios that are described above, like being surrounded by people and/or CCTV, a fingerprint is moch more secure that a PIN/Password

other8026

brook Proposed solution:

Add an option to completely disable this random passwords check. Completely, no random asks at all, no "reminding". The user should know it and be able to refuse forced reminding in insecure situations.

brook Random or semi-random request only provide problems, and make people use very short passwords and trivial PINs.

brook this "lock at random and most inconvenient moment"

As matchboxbananasynergy already pointed out, being prompted for the primary unlock method isn't random, it's 48 hours (confirmed here).

I think it's like this for more than one reason. Matchbox pointed out one of them, but it can also a security thing. You can have a very secure primary unlock passcode. People leave their fingerprints everywhere and while I don't know for sure, I have a strong feeling fingerprints aren't as secure as a randomly generated 8+ word diceware passcode. It makes sense that the primary unlock method would be required every once in a while.

You're making it sound like this thing is designed to inconvenience you, which is not the case. Now that you know it's a timed thing from when you last unlocked your device using your primary unlock method, you now know how to avoid the situation you want to avoid.

GrapheneOS doesn't remove security features.

brook

KleinesSinchen That already exists in the form of auto-reboot.

True. I also thought the same! So, setting timer is not that much required in GrapheneOS (with awesome autoreboot feature).

But disabling this "lock at random and most inconvenient moment" is required.

KleinesSinchen Forcing passphrase can be done by reboot/poweroff (press power a few seconds, tap reboot – or long press power).

I would prefer some combination that can be pressed without using screen. But it's a different topic.

KleinesSinchen The problem of biometrics being disallowed in the wrong moment is indeed solved by entering the passphrase once every morning.

It's not solved for you, you just use a workaround. Why should user enter it each morning? What is the profit for user or security? None? Why not simply disable this annoying timer then?

KleinesSinchen

After thinking a few days about this quietly I finally want to answer to this part from way above:

brook It's not solved for you, you just use a workaround. Why should user enter it each morning? What is the profit for user or security? None? Why not simply disable this annoying timer then?

Thanks, but I can decide for myself if something is solved for me. "Just" using a workaround can be a valid solution. I have zero problems with entering it at the morning and occasionally logout a profile.
If there wasn’t 2FA on GOS allowing a PIN to increase security of fingerprint I would not use biometrics AT ALL because it is completely insecure by itself (can be forced).

My personal stance on this 48h timer is neutral. I see neither a benefit nor a disadvantage regarding security. No need for a crusade against it. And then there is the already mentioned very obvious reminder for people to memorize their primary unlock.
Yes, a lot of people will forget their PIN/password when using fingerprint only for weeks.
Yes, it is one's own fault if not having discipline in this regard but no doubt that those who are locked out will complain loudly when it happens.
And those susceptible for forgetting passwords will disable the timer if a toggle is offered.

Deciding to lower password complexity because of such a timer is a personal decision and not a mandatory consequence of the design choice (timer).

grayway2

brook how about profiles ? You can create a profile with a not very complicate password/pin for outdoor (navigation app, quick search on Vanadium ect.)

Owner profile and others profile with banking apps or private content will remain protected with a strong password.

I would not recommend to use your phone in public even with 2FA (cameras everywhere, thieves ect.)

You can always find a workaround

brook

grayway2 how about profiles ? You can create a profile with a not very complicate password/pin for outdoor (navigation app, quick search on Vanadium ect.)

Profiles is currently a bigger pain. Because they also ask passwords almost always when switching.

So, my Instant Messenger profile should be the most valuable (more than money), how should I use it? Have short 4 digits pin that I would enter showing everybody, or have a decent password and still have pain not being able to read the urgent message or reply because I has to enter 20 chars correctly while running or being in the subway?

grayway2 I would not recommend to use your phone in public even with 2FA (cameras everywhere, thieves ect.)

How should I read messages and emails then? Go home or a rest room each time, like 100 times a day?

grayway2 You can always find a workaround

The only solution is to provide option to disable this dumb timer, because it is lessen the security for everybody (except few people who enter their password each and every morning just to avoid this ridiculous timer from going on).

I should probably file a github issue for this problem.

DeletedUser495

brook how would you do this in stock environment or with any other device? Change your ways.

grayway2

brook as suggested by bananasynergy and others8026 unlock the concerned profile at least once a day.

You can also use a pixel 9 because of the ultrasonic fingerprint reader (less risk to have the fingerprint is not recognized)

You hands needs to be clean and dry for the fingerprint reader. During winter warm them first before trying to unlock the lock screen.

GrouchyGrape

brook you sound like a fun person. Just set your phone to reboot every night, enter your password once a day in the morning, and move on with life

brook

DeletedUser495 brook how would you do this in stock environment or with any other device? Change your ways.

I would use fingerprint. It's not as reliable, but enough for not being un-locked during auto-reboot period that would put data at rest with long and reliable/secure password. The problem is this insane timer that forces me to not use reliable and secure password.

other8026 It makes sense that the primary unlock method would be required every once in a while.

How come? Why exactly? Why not only when it is not in the user hands?

other8026 Now that you know it's a timed thing from when you last unlocked your device using your primary unlock method, you now know how to avoid the situation you want to avoid.

How? I do not want to enter long secure password everyday for no real reason (you provided none to my opinion).

other8026 GrapheneOS doesn't remove security features.

I showed cases when this defective "feature" RUINS the security.
Have you read the first post?

raccoondad

other8026 I have a strong feeling fingerprints aren't as secure as a randomly generated 8+ word diceware passcode.

From what I understand, one is proximity based on the stored data of your finger, while the other is a defined hash that's compared. Comparing a hash seems much more secure than the firmware analyzing the proximity of your finger to its saved fingerprint data and giving a yes/no.

Also, legally in the US, they can force you to use your fingerprint to unlock. Not your password (legally).

other8026

brook Have you read the first post?

yes

I don't think it's likely that the project will make the 48 hour timer configurable or add support to disable it. I found a request similar to the one you're making here and a developer said it's not going to be removed here: https://github.com/GrapheneOS/os-issue-tracker/issues/5242#issuecomment-2798376408

brook

other8026 thank you for the link. That's unfortunate.
I see it as [the developers] does not understanding the problem from some users perspective.

Mod note: removed a developer's name. GrapheneOS has multiple people working on it and to assume that the decision was made by one person is incorrect.

DeletedUser313

other8026

How about making it a voluntary prompt/reminder once every 48h, this way users will still use the password occasionally. It's true that fingerprints are less secure but we can still trigger password mode using the power button iirc. But yeah I don't think it's such a severe issue even though I do want it changed

As the other guy said, rebooting does help due to the persistence thingy anyway

brook

I don't think you'll want it to auto-reboot every 12 hours lol

brook

Hypothetically, let's imagine that I have a setting to disable this faulty timer.
And I set auto-reboot timer of GrapheneOS to 12 hours.

Can anybody provide a real example how security for me would be lower? Any scenario?

On the other hand, I provided several cases when having this timer lowers security by a lot, because entering long passwords in the bus or on camera IS NOT secure.
Also it forces to use shorter and more easy passwords.