Concerns about feature forcing user to use primary unlock method every 48 hours

GrouchyGrape

@brook I haven't slept in days, trying to figure out a solution to this very serious SECURITY issue.

At first I thought, just shred the phone and go off grid. So I tried it. Friends and family were not happy, so I got another phone and continued brainstorming.

Next, I thought about never taking my phone out of the house, but instead leaving it tethered with a cable in a dark closet where no one else could see it. Tried it when I took a trip to the grocery store. Came back to a frustrated wife who wondered why I didn't get any milk. She said she texted me right after I left. I guess that's not going to work. Back to the drawing board.

Ok, this next one seems strange, but bear with me. I sewed a secret pocket on the inside of my pants leg. Then, using a series a mirrors and toilet paper tubes, I created a sort of periscope that goes from my secret pocket, up my shirt and ends right at my chest. So when using my phone, I simply put my hand down my pants and look down my shirt. Now, there's no need to take my phone out at all! Brilliant!

After some preliminary testing, I will say that I get some strange looks while on buses, trains, etc... But it works! Next I'm going to a local police station to see it they can spy my password while I unlock it.

Wish me luck!

wizoatk

Quantum I hope the devs don't waste any resource

Not to worry, the first reply from development was direct:

The requirement is using the primary lock method 48 hours after the last successful primary unlock. You can refresh it by doing it again. We aren't going to remove the standard timeout.

brook

other8026 I'm going to have to ask you to please stop being rude to other community members.

OK, I agree and take these remarks back. Those were not intended to be rude as they can look, more like trying to convince. Sorry @nologo anyway.

other8026 You decided it's "not good" for yourself. Other people have mentioned unlocking with the primary unlock method once daily, which leads me to believe they're: not bothered by it, unaffected because they end up using their primary unlock method once daily for some reason, or are affected but are fine with working around the timeout.

Or they have short password. Or no password at all, like 4-6 digit pins instead.

The main problem that people like @nologo talk about some workaroundS, but none of them named any except manually daily entering password for no other reason than suppressing and avoiding this 48 timer. I ask several people and none of them named those "workaroundS". That is not a fair statements by them.

other8026 You have described the timeout as a "bug" when it isn't.

Well, for me it's the same as upsteam 8/16 char max length limitation for password. Is it a feature? Is it a security problem? Is it a bug? Chose yourself. I consider it to be a disaster. It was fixed by GrapheneOS, I hope the timer also would.

other8026 You've described the timing of the timeout as "random" when it isn't even after you were told how it works.

No, after the first post that stated that it's 48 hours - I agreed to believe in it and said about 48 hours a million times. But IT LOOKS random to the users. It's also a fact, because it happens at seemingly random moments (often when it is less convenient and safe to enter password). Why should it matter how it works inside, if for average user the moment is unpredictable (almost the same as random)?

other8026 It's considered "not good" by whom?

By me, and a few users just in this thread. People have changed the length of the password to shorter one due to this useless timer. It's a fact, we have such cases even in this topic.

other8026 you don't want to use it seemingly ever

No, not true.
I want it to use in cases:

Getting from reboot (when data is at rest).
When GrapheneOS auto-reboot timer works and saves my data by putting it at rest. It's a security measure.

Well, it's how it should work, this 48 hour timer is just a security problem that happens unpredictably for users.

other8026 you're unwilling to take a small and simple step to unlock your device with the secure and complex passphrase at least once every 48 hours

It would be even harder to keep track of 48 hours, so once 24 hours.

Yes, asking entering long password on awful android small keyboard is something I would love to avoid especially when it's COMPLETELY pointless from any security perspective. Is it not?

And yes, I would save 1-2 minutes a day, it's the same time we spend on our teeth each morning, it's a big deal not to be annoyed, knowing that this actions are made COMPLETELY FOR NOTHING.

other8026 you claim that using this long and secure password is so difficult that you and others may decide to make their long and secure passphrase shorter to to make it easier to enter

No, not "may decide", but "did decide": there are my and other examples in this thread.
Why "may", if it's a fact?

other8026 I'm not saying you're the only person who doesn't like it

Of course not the only one, there are a people just in thread.

Quantum In my country the police can force you to use your fingerprint to unlock your phone after a court has approved it.

So, set auto-reboot to 10 hours. It would be better in any possible manner. And you also can keep 48 hours timeout if you want (I propose toggle). But it does not mean that other people should be not able to disable timeout.

DeletedUser370

brook People have changed the length of the password to shorter one due to this useless timer. It's a fact, we have such cases even in this topic.

To anyone who has not read the whole topic.

The sample size for that is currently:

2 userofgos

brook Or they have short password. Or no password at all, like 4-6 digit pins instead.

Again with these baseless claims. Just because others are not like you and are unbothered by this 48-hour timer doesn't mean they have no care in the world for security. I chose to use GOS for the soul purpose of keeping my data private and secure, I wouldn't dare compromise that for such a minor inconvenience.

Quantum

@other8026 You shouldn't reply to him. He'll suck the life force out of you. You got better things to do than waste your time on this dude

KleinesSinchen

After thinking a few days about this quietly I finally want to answer to this part from way above:

brook It's not solved for you, you just use a workaround. Why should user enter it each morning? What is the profit for user or security? None? Why not simply disable this annoying timer then?

Thanks, but I can decide for myself if something is solved for me. "Just" using a workaround can be a valid solution. I have zero problems with entering it at the morning and occasionally logout a profile.
If there wasn’t 2FA on GOS allowing a PIN to increase security of fingerprint I would not use biometrics AT ALL because it is completely insecure by itself (can be forced).

My personal stance on this 48h timer is neutral. I see neither a benefit nor a disadvantage regarding security. No need for a crusade against it. And then there is the already mentioned very obvious reminder for people to memorize their primary unlock.
Yes, a lot of people will forget their PIN/password when using fingerprint only for weeks.
Yes, it is one's own fault if not having discipline in this regard but no doubt that those who are locked out will complain loudly when it happens.
And those susceptible for forgetting passwords will disable the timer if a toggle is offered.

Deciding to lower password complexity because of such a timer is a personal decision and not a mandatory consequence of the design choice (timer).

brook

KleinesSinchen Thanks, but I can decide for myself if something is solved for me.

I can decide, too. This workaround is not good enough: entering a long password on an awful small keyboard char by char (unlike I type on phone usually) with * instead of typed chars each and every day just to mitigate existence of 48-hour timer that adds zero security is not SOLVING it for me. And for many other people, too, I am sure.

KleinesSinchen My personal stance on this 48h timer is neutral. I see neither a benefit nor a disadvantage regarding security.

There are proven cases in this very thread that:

Passwords became weaker due to this timer solely. The people who changed it, said it.
There are a lot of situations when entering password or PIN in unpredictable moments (that also cannot be skipped when happen) is not secure: cameras, people around, driving and etc.

And you say that there are no disadvantages regarding security. I cannot understand that.

KleinesSinchen Yes, a lot of people will forget their PIN/password when using fingerprint only for weeks.

Reminder can be implemented properly, like in Aegis app. Not causing security problems for users as 48 timer does.
People can decide if they want to be harassed by reminder or if they can remember their password. Just make it optional.

KleinesSinchen those who are locked out will complain loudly when it happens.

Complain what? That they manually disabled forced timer that also can remind password and forgot it? You can enter a huge password now and forget it in less than 48 hours. Nobody really complains.

KleinesSinchen Deciding to lower password complexity because of such a timer is a personal decision and not a mandatory consequence of the design choice (timer).

Yes, it's not mandatory, but quite probable. People can continue to suffer and get annoyed by the timer, but here we have real people in this thread who did the most straightforward but unsafe solution:

nickster Honestly, I'm in the camp where the password timer has convinced me to reduce my 18 character password to a much shorter one. Much like forcing a user to change their password often reduces password complexity over time, forcing a user to do something inconvenient like this is going to reduce password complexity as well.

JayJay

So to conclude, if this affected user reboots his phone one time only at lets say 7AM when he is at home and he just woke up, or another fixed random time where he consider is a secure place. Then every 48 hours from that reboot moment he will be having to enter his password in that same location?

So why is it so hard for this affected user to just do this?

other8026

JayJay it's not necessary to reboot. All they need to do is use their primary unlock method and the timer will reset.

brook

JayJay if this affected user reboots his phone one time only at lets say 7AM when he is at home and he just woke up, or another fixed random time where he consider is a secure place. Then every 48 hours from that reboot moment he will be having to enter his password in that same location?

It was discussed several times. E.g. I explained why it's not a good enough workaround here:
https://discuss.grapheneos.org/d/22798-concerns-about-feature-forcing-user-to-use-primary-unlock-method-every-48-hours/142
Also you are not completely сorrect about how the timer works, I think. It counts from the last password unlock, not each 48 hours.

So, if you change user profile during the day, GrapheneOS will force you to use user password instead of fingerprint instantly in many cases (before reaching timeout). And the timer would be reset.

The same happens if you do sport and your finger is sweaty, you fail to unlock with fingerprint, entered the password and timer gets reset.

The next forced password request would be a unpleasant unpredictable surprise, because user would forget about this moment during next 48 hours. The next password request would be almost random to user.

~~Edited to change inaccurate wording (in brackets).~~

Edited again to original wording to correct the mistake in my first edit.

Matth

I also support that feature request.

Rebooting on a daily basis is a flawed solution. If you time it to be done during the night, you can't use the phone as an alarm anymore. My main profile is a secondary profile, which won't be running unless it has been started and unlocked first.
Timing the reboot any other time of the day, and it's highly likely that I'm not in a secure location.

And living in a big city with 4K facial recognition cameras literally everywhere, even entering my PIN code all the time after shifting profiles is a huge security issue.

While my threat profile is very low, I do feel uncomfortable and very exposed. So I'd totally vouch for an option to do without those forced password/PIN entering.

other8026

Matth Rebooting on a daily basis is a flawed solution

You don't need to reboot. Just use the primary unlock method and the timer is reset.

Matth time it to be done during the night, you can't use the phone as an alarm anymore

That's not the case if you have the alarm set in the owner profile. My phone is always in BFU when I wake up and the alarm has never failed to go off for me.

brook

Matth I also support that feature request.

Thank you for your support.
Thanks to all of people in this topic who spent time to explicitly support the proposal to fix this 48-hour timer problem that affects users' encryption security and UX.

Matth While my threat profile is very low, I do feel uncomfortable and very exposed. So I'd totally vouch for an option to do without those forced password/PIN entering.

True!
And most notably: all these discomfort and password leaking risks add completely NOTHING to the security of the phone. That's rather disturbing. I agree to suffer for greater good, but not in vain.

Simple, fast and trivial fix:

To add a toggle to disable this upstream 48-hour timer. GrapheneOS already has proper timer instead.

More advanced fix:

To add option to set time span for the timer (including 0 = disabled).

Even more advanced fix:

To add a way to remind and request password properly, not forcing user to leak the password to cameras at the moment. The same way as it's properly done in Aegis. This one can be harder to maintain and keep synced with upstream.

I am would be happy even with the simple issue fix.

other8026

Someone creates an account to complain for 10 straight days about an upstream timer, doesn't engage with other threads, and has been constantly using misleading wording, accusing GrapheneOS for "forcing" users to do this or that, or having a "security" issue is all completely false.

The timer was added upstream. It's not a GrapheneOS feature.

Reboots aren't necessary to reset the timer. All you need to do is enter the primary unlock method once and the timer resets. 48 hours isn't that unreasonable.

As recently as April, it was decided that the timeout won't be removed.

Also, here are some quotes from matchbox's posts earlier:

matchboxbananasynergy We do not plan to change how this works at this time.

matchboxbananasynergy What needs to be understood for anybody who is claiming that this feature is useless, is actually an anti-feature etc. is that GrapheneOS has to be very careful with what we add, remove, or change for multiple reasons.

matchboxbananasynergy The other is that this forum does NOT represent anything remotely close to the majority of GrapheneOS users, and we cannot be persuaded by a loud minority to make changes before considering them.

matchboxbananasynergy A setting for this where the default behavior is the upstream one where users could adjust the timer or disable it if they choose is something that I could envision shipping at some point, but like I said, we have to prioritize. We cannot prioritize based on who causes the biggest fuss on the forum, but what will benefit all of our users the most.

There's also my massive post here other8026 where I make the argument that the timer can be considered to be an upstream security feature and link to the place where the maximum of 72 hours is set and the comment says:

Default and maximum timeout in milliseconds after which unlocking with weak auth times out, i.e. the user has to use a strong authentication method like password, PIN or pattern.

I'm not a developer for the project or a security expert, but I think given how AOSP developers talk about biometrics, it can be considered a security feature. It may seem redundant since GrapheneOS has auto reboot, which is 72 hours by default. But since the auto reboot timer resets for all unlocks, I would argue that the two timers complement each other, improving security.

It's understandable that the timer may be annoying to some people, but adding a toggle to optionally disable the timeout isn't likely to be a priority for the project. If the developers agree that it can be considered a security feature, they may further deprioritize or it would be even less likely to add a toggle at all.

I've locked the thread because I think everything that can be said has been said and OP has continued to use inaccurate wording making GrapheneOS look insecure because they simply don't like the timeout despite people calling them out for it, including myself. I or another moderator may choose to unlock it later.

« Previous Page