Concerns about feature forcing user to use primary unlock method every 48 hours

brook

nickster password timer has convinced me to reduce my 18 character password to a much shorter one

Yep, the same. The security was reduced due to this unsafe timer.

@other8026 you ask about examples (sample size). You can add one more case.
And there are exactly zero cases when this timer ever helped with security.

This timer should become optional, or even be disabled by default for everyone's security.

nologo

brook security was not reduced due to the timer, but due to the user's rather unwise decision to choose a shorter password. If the timer is a problem to the user, then there are much better and perfectly secure work arounds available (which have been suggested over and over again in this thread).

brook

nologo security was not reduced due to the timer, but due to the user's rather unwise decision to choose a shorter password.

No, it was reduced due to the timer only, as the author of comment @nickster (and I in my case) said from the first-hand experience.
If there were NO TIMER, the password would be stronger, and there would be no problems with long password.
Don't you see the logic?

nologo there are much better and perfectly secure work arounds available

Name those workarounds, please. Can you?
I see only ONE and it is silly and painful - to manually enter the long password EVERYDAY, just to fight this timer that adds NOTHING good to the user's security. What are those nice workarounds of yours?

nologo

brook the timer does not choose the password length. The user does.

The workarounds have been named. Personally, I don"t need them. The timer is not a problem to me at all.

DeletedUser370

brook It looks a bit insane that some people cannot see it.

People's opinions differ. It's that simple. It's not insane that people have different views on a topic.

brook I see only ONE and it is silly and painful - to manually enter the long password EVERYDAY,

Clearly people's pain tolerances also differ. And vastly so.

other8026

brook Turn logic on

brook Do not hurry, think a bit.

I'm going to have to ask you to please stop being rude to other community members. It should be clear by now that not everyone here agrees with you, but that's no excuse to be rude.

brook Except entering the password every day. that I mentioned in previous message and before, because it was already discussed and considered not good.

You decided it's "not good" for yourself. Other people have mentioned unlocking with the primary unlock method once daily, which leads me to believe they're: not bothered by it, unaffected because they end up using their primary unlock method once daily for some reason, or are affected but are fine with working around the timeout.

You have been consistently using inaccurate words to describe the timeout and other things in this thread. You have described the timeout as a "bug" when it isn't. You've described the timing of the timeout as "random" when it isn't even after you were told how it works. Here you are very vaguely saying that the "workaround" people are talking about is "considered not good." It's considered "not good" by whom? The way you wrote this can be interpreted different ways, but someone who hasn't been following this thread may interpret it as there's a general consensus that there's a flaw in the timeout or the advice you've been given. There isn't.

You have spoken of logic many times throughout this thread. I'd expect that someone who's claiming to be looking at the issue logically would at least do all of us the courtesy of using accurate words when describing the situation. Over one hundred posts into this thread, I'm almost certain you're doing this on purpose in an attempt to "win" this argument. Not to mention you lord the word "logic" over other people and have started to demean others by suggesting they aren't as good at following "logic" as you are, which seems that you are framing yourself and anyone who agrees with you as intelligent and others who don't as unintelligent.

brook logic

This is where I think you're running into issues here with your argument:

you set a long and secure passphrase
you don't want to use it seemingly ever
you're unwilling to take a small and simple step to unlock your device with the secure and complex passphrase at least once every 48 hours (you even complained about the suggestion to enter it only once "everyday" as you complained as recently as in this post brook)
you claim that using this long and secure password is so difficult that you and others may decide to make their long and secure passphrase shorter to to make it easier to enter

I see all this and can only conclude that you just don't like using a long and secure passphrase. You like the convenient fingerprint unlock and are tempted to use a weaker/shorter unlock method for, as far as I can tell, convenience. It seems safe to assume you don't want to use the primary unlock method at least once a day because you don't want to be inconvenienced.

You want the security of secure passphrase, but you actively complain about having to use the passphrase. They are annoying, sure, but they're still the best way to secure our devices, especially if you are worried an attacker can get around the secure element's throttling.

brook fight this timer that adds NOTHING good to the user's security

I took the time to poke around the related code, just to see what comments I could find, etc. Even if the fingerprint scanner is classified as Class 3 (which is referred to as a "strong biometric" in the code), there's still a constraint for when the OS will fall back to "primary authentication". The wording "non strong", "strong biometric", "strong" are all used in ways that have convinced me that security was on AOSP developers' minds when they added the timeouts. For example, here is where the default is set in DevicePolicyManager (since the official project account has said it's 48 hours, I'm assuming the hardcoded default is overridden. Maybe it's a per-device thing, or maybe there's some other reason. I'm not sure why, but it's not important). You can see the comment above that says (edited so it looks better on the forum):

Default and maximum timeout in milliseconds after which unlocking with weak auth times out, i.e. the user has to use a strong authentication method like password, PIN or pattern.

Ignoring the irony that they said that pattern unlock is a "strong authentication method," you can see that biometrics are being called "weak". Until now I have not felt confident enough to claim it's a security feature, but it sure looks like it's there for security reasons after poking around the code.

Again, to be extra clear, I am not someone who is involved in making these decisions or calls, but I very seriously doubt the project will flat out remove the timeout, I doubt they'll change the default behavior to disable the timeout, and I doubt they'll add a toggle to optionally turn off the timeout because it may be considered a security feature, but also because there are other way higher priority things to work on. If the behavior is changed in AOSP, it'll likely change in GrapheneOS. As far as I can tell, GrapheneOS has made no downstream changes to this particular functionality.

And one last thing: throughout all of the time that I've spent being active on this forum and within the community, you are the only person who has complained this much about the timeout. I'm not saying you're the only person who doesn't like it, but you are definitely the only one who has been so vocal about it. Even the others who've spoken against the timeout in this thread have just popped in to say they were affected by it and have left it at that. I'd suggest you look inward and really think about your complaints here and what you're trying to accomplish and how likely you're going to get changes landed in GrapheneOS by acting this way.

brook

nologo The workarounds have been named. Personally, I don"t need them. The timer is not a problem to me at all.

Сan you please name them, those workarounds? You said there are several, please name.
Except entering the password every day. that I mentioned in previous message and before, because it was already discussed and considered not good.

Quantum

This has got to be one of the laziest post on the forum. Not being able to type in ONE password each second day. Just let it go man. I hope the devs don't waste any resources on this bullshit.

In my country the police can force you to use your fingerprint to unlock your phone after a court has approved it.

My auto reboot is set at 18 hours. So they would have 18 hours to get it approved in court... or the 48 hour timer is less than 18 hours at that point giving them less time to act. For me it's a nice feature to have, and I'd solve this so-called problem by just typing in the password before the timer.

wizoatk

Quantum I hope the devs don't waste any resource

Not to worry, the first reply from development was direct:

The requirement is using the primary lock method 48 hours after the last successful primary unlock. You can refresh it by doing it again. We aren't going to remove the standard timeout.

brook

other8026 I'm going to have to ask you to please stop being rude to other community members.

OK, I agree and take these remarks back. Those were not intended to be rude as they can look, more like trying to convince. Sorry @nologo anyway.

other8026 You decided it's "not good" for yourself. Other people have mentioned unlocking with the primary unlock method once daily, which leads me to believe they're: not bothered by it, unaffected because they end up using their primary unlock method once daily for some reason, or are affected but are fine with working around the timeout.

Or they have short password. Or no password at all, like 4-6 digit pins instead.

The main problem that people like @nologo talk about some workaroundS, but none of them named any except manually daily entering password for no other reason than suppressing and avoiding this 48 timer. I ask several people and none of them named those "workaroundS". That is not a fair statements by them.

other8026 You have described the timeout as a "bug" when it isn't.

Well, for me it's the same as upsteam 8/16 char max length limitation for password. Is it a feature? Is it a security problem? Is it a bug? Chose yourself. I consider it to be a disaster. It was fixed by GrapheneOS, I hope the timer also would.

other8026 You've described the timing of the timeout as "random" when it isn't even after you were told how it works.

No, after the first post that stated that it's 48 hours - I agreed to believe in it and said about 48 hours a million times. But IT LOOKS random to the users. It's also a fact, because it happens at seemingly random moments (often when it is less convenient and safe to enter password). Why should it matter how it works inside, if for average user the moment is unpredictable (almost the same as random)?

other8026 It's considered "not good" by whom?

By me, and a few users just in this thread. People have changed the length of the password to shorter one due to this useless timer. It's a fact, we have such cases even in this topic.

other8026 you don't want to use it seemingly ever

No, not true.
I want it to use in cases:

Getting from reboot (when data is at rest).
When GrapheneOS auto-reboot timer works and saves my data by putting it at rest. It's a security measure.

Well, it's how it should work, this 48 hour timer is just a security problem that happens unpredictably for users.

other8026 you're unwilling to take a small and simple step to unlock your device with the secure and complex passphrase at least once every 48 hours

It would be even harder to keep track of 48 hours, so once 24 hours.

Yes, asking entering long password on awful android small keyboard is something I would love to avoid especially when it's COMPLETELY pointless from any security perspective. Is it not?

And yes, I would save 1-2 minutes a day, it's the same time we spend on our teeth each morning, it's a big deal not to be annoyed, knowing that this actions are made COMPLETELY FOR NOTHING.

other8026 you claim that using this long and secure password is so difficult that you and others may decide to make their long and secure passphrase shorter to to make it easier to enter

No, not "may decide", but "did decide": there are my and other examples in this thread.
Why "may", if it's a fact?

other8026 I'm not saying you're the only person who doesn't like it

Of course not the only one, there are a people just in thread.

Quantum In my country the police can force you to use your fingerprint to unlock your phone after a court has approved it.

So, set auto-reboot to 10 hours. It would be better in any possible manner. And you also can keep 48 hours timeout if you want (I propose toggle). But it does not mean that other people should be not able to disable timeout.

other8026

Someone creates an account to complain for 10 straight days about an upstream timer, doesn't engage with other threads, and has been constantly using misleading wording, accusing GrapheneOS for "forcing" users to do this or that, or having a "security" issue is all completely false.

The timer was added upstream. It's not a GrapheneOS feature.

Reboots aren't necessary to reset the timer. All you need to do is enter the primary unlock method once and the timer resets. 48 hours isn't that unreasonable.

As recently as April, it was decided that the timeout won't be removed.

Also, here are some quotes from matchbox's posts earlier:

matchboxbananasynergy We do not plan to change how this works at this time.

matchboxbananasynergy What needs to be understood for anybody who is claiming that this feature is useless, is actually an anti-feature etc. is that GrapheneOS has to be very careful with what we add, remove, or change for multiple reasons.

matchboxbananasynergy The other is that this forum does NOT represent anything remotely close to the majority of GrapheneOS users, and we cannot be persuaded by a loud minority to make changes before considering them.

matchboxbananasynergy A setting for this where the default behavior is the upstream one where users could adjust the timer or disable it if they choose is something that I could envision shipping at some point, but like I said, we have to prioritize. We cannot prioritize based on who causes the biggest fuss on the forum, but what will benefit all of our users the most.

There's also my massive post here other8026 where I make the argument that the timer can be considered to be an upstream security feature and link to the place where the maximum of 72 hours is set and the comment says:

Default and maximum timeout in milliseconds after which unlocking with weak auth times out, i.e. the user has to use a strong authentication method like password, PIN or pattern.

I'm not a developer for the project or a security expert, but I think given how AOSP developers talk about biometrics, it can be considered a security feature. It may seem redundant since GrapheneOS has auto reboot, which is 72 hours by default. But since the auto reboot timer resets for all unlocks, I would argue that the two timers complement each other, improving security.

It's understandable that the timer may be annoying to some people, but adding a toggle to optionally disable the timeout isn't likely to be a priority for the project. If the developers agree that it can be considered a security feature, they may further deprioritize or it would be even less likely to add a toggle at all.

I've locked the thread because I think everything that can be said has been said and OP has continued to use inaccurate wording making GrapheneOS look insecure because they simply don't like the timeout despite people calling them out for it, including myself. I or another moderator may choose to unlock it later.

GrouchyGrape

@brook I haven't slept in days, trying to figure out a solution to this very serious SECURITY issue.

At first I thought, just shred the phone and go off grid. So I tried it. Friends and family were not happy, so I got another phone and continued brainstorming.

Next, I thought about never taking my phone out of the house, but instead leaving it tethered with a cable in a dark closet where no one else could see it. Tried it when I took a trip to the grocery store. Came back to a frustrated wife who wondered why I didn't get any milk. She said she texted me right after I left. I guess that's not going to work. Back to the drawing board.

Ok, this next one seems strange, but bear with me. I sewed a secret pocket on the inside of my pants leg. Then, using a series a mirrors and toilet paper tubes, I created a sort of periscope that goes from my secret pocket, up my shirt and ends right at my chest. So when using my phone, I simply put my hand down my pants and look down my shirt. Now, there's no need to take my phone out at all! Brilliant!

After some preliminary testing, I will say that I get some strange looks while on buses, trains, etc... But it works! Next I'm going to a local police station to see it they can spy my password while I unlock it.

Wish me luck!

DeletedUser370

brook People have changed the length of the password to shorter one due to this useless timer. It's a fact, we have such cases even in this topic.

To anyone who has not read the whole topic.

The sample size for that is currently:

2 userofgos

brook Or they have short password. Or no password at all, like 4-6 digit pins instead.

Again with these baseless claims. Just because others are not like you and are unbothered by this 48-hour timer doesn't mean they have no care in the world for security. I chose to use GOS for the soul purpose of keeping my data private and secure, I wouldn't dare compromise that for such a minor inconvenience.

Quantum

@other8026 You shouldn't reply to him. He'll suck the life force out of you. You got better things to do than waste your time on this dude

KleinesSinchen

After thinking a few days about this quietly I finally want to answer to this part from way above:

brook It's not solved for you, you just use a workaround. Why should user enter it each morning? What is the profit for user or security? None? Why not simply disable this annoying timer then?

Thanks, but I can decide for myself if something is solved for me. "Just" using a workaround can be a valid solution. I have zero problems with entering it at the morning and occasionally logout a profile.
If there wasn’t 2FA on GOS allowing a PIN to increase security of fingerprint I would not use biometrics AT ALL because it is completely insecure by itself (can be forced).

My personal stance on this 48h timer is neutral. I see neither a benefit nor a disadvantage regarding security. No need for a crusade against it. And then there is the already mentioned very obvious reminder for people to memorize their primary unlock.
Yes, a lot of people will forget their PIN/password when using fingerprint only for weeks.
Yes, it is one's own fault if not having discipline in this regard but no doubt that those who are locked out will complain loudly when it happens.
And those susceptible for forgetting passwords will disable the timer if a toggle is offered.

Deciding to lower password complexity because of such a timer is a personal decision and not a mandatory consequence of the design choice (timer).

brook

KleinesSinchen Thanks, but I can decide for myself if something is solved for me.

I can decide, too. This workaround is not good enough: entering a long password on an awful small keyboard char by char (unlike I type on phone usually) with * instead of typed chars each and every day just to mitigate existence of 48-hour timer that adds zero security is not SOLVING it for me. And for many other people, too, I am sure.

KleinesSinchen My personal stance on this 48h timer is neutral. I see neither a benefit nor a disadvantage regarding security.

There are proven cases in this very thread that:

Passwords became weaker due to this timer solely. The people who changed it, said it.
There are a lot of situations when entering password or PIN in unpredictable moments (that also cannot be skipped when happen) is not secure: cameras, people around, driving and etc.

And you say that there are no disadvantages regarding security. I cannot understand that.

KleinesSinchen Yes, a lot of people will forget their PIN/password when using fingerprint only for weeks.

Reminder can be implemented properly, like in Aegis app. Not causing security problems for users as 48 timer does.
People can decide if they want to be harassed by reminder or if they can remember their password. Just make it optional.

KleinesSinchen those who are locked out will complain loudly when it happens.

Complain what? That they manually disabled forced timer that also can remind password and forgot it? You can enter a huge password now and forget it in less than 48 hours. Nobody really complains.

KleinesSinchen Deciding to lower password complexity because of such a timer is a personal decision and not a mandatory consequence of the design choice (timer).

Yes, it's not mandatory, but quite probable. People can continue to suffer and get annoyed by the timer, but here we have real people in this thread who did the most straightforward but unsafe solution:

nickster Honestly, I'm in the camp where the password timer has convinced me to reduce my 18 character password to a much shorter one. Much like forcing a user to change their password often reduces password complexity over time, forcing a user to do something inconvenient like this is going to reduce password complexity as well.

JayJay

So to conclude, if this affected user reboots his phone one time only at lets say 7AM when he is at home and he just woke up, or another fixed random time where he consider is a secure place. Then every 48 hours from that reboot moment he will be having to enter his password in that same location?

So why is it so hard for this affected user to just do this?

other8026

JayJay it's not necessary to reboot. All they need to do is use their primary unlock method and the timer will reset.

brook

JayJay if this affected user reboots his phone one time only at lets say 7AM when he is at home and he just woke up, or another fixed random time where he consider is a secure place. Then every 48 hours from that reboot moment he will be having to enter his password in that same location?

It was discussed several times. E.g. I explained why it's not a good enough workaround here:
https://discuss.grapheneos.org/d/22798-concerns-about-feature-forcing-user-to-use-primary-unlock-method-every-48-hours/142
Also you are not completely сorrect about how the timer works, I think. It counts from the last password unlock, not each 48 hours.

So, if you change user profile during the day, GrapheneOS will force you to use user password instead of fingerprint instantly in many cases (before reaching timeout). And the timer would be reset.

The same happens if you do sport and your finger is sweaty, you fail to unlock with fingerprint, entered the password and timer gets reset.

The next forced password request would be a unpleasant unpredictable surprise, because user would forget about this moment during next 48 hours. The next password request would be almost random to user.

~~Edited to change inaccurate wording (in brackets).~~

Edited again to original wording to correct the mistake in my first edit.

Matth

I also support that feature request.

Rebooting on a daily basis is a flawed solution. If you time it to be done during the night, you can't use the phone as an alarm anymore. My main profile is a secondary profile, which won't be running unless it has been started and unlocked first.
Timing the reboot any other time of the day, and it's highly likely that I'm not in a secure location.

And living in a big city with 4K facial recognition cameras literally everywhere, even entering my PIN code all the time after shifting profiles is a huge security issue.

While my threat profile is very low, I do feel uncomfortable and very exposed. So I'd totally vouch for an option to do without those forced password/PIN entering.

other8026

Matth Rebooting on a daily basis is a flawed solution

You don't need to reboot. Just use the primary unlock method and the timer is reset.

Matth time it to be done during the night, you can't use the phone as an alarm anymore

That's not the case if you have the alarm set in the owner profile. My phone is always in BFU when I wake up and the alarm has never failed to go off for me.

brook

Matth I also support that feature request.

Thank you for your support.
Thanks to all of people in this topic who spent time to explicitly support the proposal to fix this 48-hour timer problem that affects users' encryption security and UX.

Matth While my threat profile is very low, I do feel uncomfortable and very exposed. So I'd totally vouch for an option to do without those forced password/PIN entering.

True!
And most notably: all these discomfort and password leaking risks add completely NOTHING to the security of the phone. That's rather disturbing. I agree to suffer for greater good, but not in vain.

Simple, fast and trivial fix:

To add a toggle to disable this upstream 48-hour timer. GrapheneOS already has proper timer instead.

More advanced fix:

To add option to set time span for the timer (including 0 = disabled).

Even more advanced fix:

To add a way to remind and request password properly, not forcing user to leak the password to cameras at the moment. The same way as it's properly done in Aegis. This one can be harder to maintain and keep synced with upstream.

I am would be happy even with the simple issue fix.

« Previous Page