Concerns about feature forcing user to use primary unlock method every 48 hours

brook

About examples of people revealing their PIN unintentionally. I remember a case when some celebrity (raper?) showed this iphone PIN. It was 1111 or 111111 if I am not mistaken.

The problem was the same - the unlocking using PIN was necessary in public place.

One may say: it's a celebrity, a lot of people are watching them.
But in reality usual users reveal passwords or parts of passwords in the same way very often, it's just not getting to newspapers.

So, this security problem should be solved, and unsafe timeout made optional, if used at all. The GrapheneOS timeout should be used instead in all cases.

DollyRags

If this feature is added it would help address some of your concerns with entering the pin in an unsafe environment. Tiny text you need to put close to your eyes + random layouts could provide pretty good protection.

https://github.com/GrapheneOS/os-issue-tracker/issues/4541

brook

DollyRags well, this feature looks nice, especially for pins (while for passwords the keyboard is already too small to enter password reliably in certain situations).

But the real issue here is this useless timer asking for password/PIN in the first place.
For no actual reason, adding problems and lessening the security drastically.

raccoondad

brook But the real issue here is this useless timer asking for password/PIN in the first place.
For no actual reason, adding problems and lessening the security drastically.

Someone mentioned you complaining just to complain, and at this point, I have to agree.

There is no way you can't find time to input your password once every 48 hours.

This is just not a real security issue, I don't really understand the reason of this complaint at all. Especially when given actual solutions.

brook

raccoondad what are "solutionS"? You are rude and misleading.

In this topic nobody shown any security reason for this insane timer existing in the first place. Only that it reminds user their password, it's no about security, obviously. I can remember my password without this bug-feature.
Some people like you or @DeletedUser495 who probably does not even use passwords, talk about some "solutions" while actually the topics provides no solutions and only ONE ugly workaround - to enter passwords daily instead of every 2 days at the morning. Probably using additional calendar reminder.
And this workaround is awful and disturbing because there is actually no reason what so ever to enter password in the morning compared to situation that this timer would be simply disabled or optional. What are SOLUTIONS you are talking about?

lynatic

raccoondad This is just not a real security issue, I don't really understand the reason of this complaint at all. Especially when given actual solutions.

/s/solutions/workarounds

Yes you can work around this antifeature with light-medium inconvenience depending on how your week is planned. Feels kinda like stock again, always having to work around the stuff that Google broke and doesn't bother to fix...

brook

And thanks to moderator for modifying the title of the topic, now it better reflects the situation. I would also still mention that the "concerns" here are "SECURITY concerns", that I hope GrapheneOS would address faster. It's not UX or usability concerns, it's real password leaking scenario for all users who use passwords.

JustBeginnez

Now that we have a Second factor PIN and an Auto reboot timer, the 48-hour timer appears to be a security risk (the risk of the passcode being seen when going out).

Nevertheless, this risk may be reduced if the automatic restart timer is set shorter than the sleep time!

The 48-hour timer seems to make sense, and the reboot timer reduces this security risk, so, I think, no problem.

lynatic

JustBeginnez

I'm not sure whether I understand the argument here. You write about the timer being an security issue, then somehow conclude it's fine and no problem because it can be worked around? What's the reasoning there?

Also another factor: It seems a lot of you prefer putting the device in BFU over night(/once every day). This is very reasonable in most threat models but shouldn't be the only supported scenario. Say e.g. you have some convoluted dead-mans-switch that involves your phone and has to do operations on the subset of a profiles data. This would only work AFU, every minute you stay in BFU increases the risk of the switch not firing here. Other example: Disabled people. If you have motoric difficulties, typing a long passphrase can be a real problem and you'd want to replace it by the 2FA fingerprint feature as much as possible. The workaround here would be to choose a weaker primary unlock, however I feel forcing disabled people to either compromise on usability or on security is kinda unfair.

brook

@DeletedUser495: you are so ridiculous it's scary. Grab your life by the neck, shake it up and tell it, you are the one who's in charge. Stop blaming others for your mistakes, take responsibility for your behaviour are life will be for you what a nectar is for a hummingbird. I am getting tired of this forum and narratives that are being pushed without shame and any backlash stifled in its beginnigs. Shame on you mods!

Dear @DeletedUser495, if you have nothing technical to add to the discussion, please just write nothing.
You desire to teach other people how to live, "take life by the neck" and so on - is rude and is not appreciated at all. Thank you.

JustBeginnez Now that we have a Second factor PIN and an Auto reboot timer, the 48-hour timer appears to be a security risk (the risk of the passcode being seen when going out).

That's right. This timer is a security flaw that migrated to GrapheneOS from google upstream.

JustBeginnez Nevertheless, this risk may be reduced if the automatic restart timer is set shorter than the sleep time!

The phone would be physically off during night. In case of emergency you would be out of reach to help. I do not think that fits everybody's life. I would like 12h timeout for autoreboot-when-not-unlocked that we have in GrapheneOS.

JustBeginnez The 48-hour timer seems to make sense, and the reboot timer reduces this security risk, so, I think, no problem.

I also do not understand this twist in your message. It does not come from previous text, or I fail to get it. Which sense? What's the profit of it existing in GrapheneOS?

DeletedUser299 Not this user, I am grown up enough to put the phone down, and input the pin/password when its convenient and more private...

It's not about being grown up. Maybe you just do not have elderly relatives, kids or other scenarios when YOU HAVE to read SMS, or message, or something. You do not need something (like being able to use phone at any moment) does not mean everybody does not need it, too.
Also, you have to go to private place to unlock your phone for ZERO technical/security reason. There is no reason for you to do that if this timer would be possible to disable.

brook

Can anybody actually step-by-step provide ANY example how 48hours timeout helps security or anything at all, except making user remembering the password better?

DeletedUser299

brook if you are going to answer your own questions, I'm going to play elsewhere...

JustBeginnez

brook

The possibility of being prompted for a password at inappropriate times due to a 48-hour timer could be eliminated by Reboot timer. For instance, if I enter the password in the morning when I wake up, I won’t be prompted for it during the day due to the 48-hour timer, thereby reducing the risk of someone observing my password input.

GrouchyGrape

How on earth did anyone survive before cell phones? It truly is a miracle...

brook

JustBeginnez yes, but we discussed this hack-around multiple times, it does not solve the root of the problem and still makes user's experience worse and security lower.

Let's say you do this procedure everyday in the morning. I have a question: why are you doing it? Only to fight this bug-feature-timer, right? So, you have to meticulously enter your long password each morning just for one reason - because it is not possible to disable this ugly timer.
Why not make it possible to disable and make this 48h timer optional?

Reboot timer in GrapheneOS, on the other hand, is a different and MUCH SUPERIOR approach, that actually improves security, unlike 48h-timer. Because reboot timer counts from the last successful unlock. So it would NOT interfere you for years, unless you lost your phone or it was seized. If this case timer would lock the phone and put data to rest quickly, e.g. in 10 hours. Once again 48h-timer would have no positive effect even in this case.

What's wrong with this logic?

JustBeginnez

brook

I think your logic is correct. However, the resources available to GrapheneOS developers are limited, and we can't expect to improve the 48 hour timer which doesn't affect security for most people.
(I think the risk of being asked to enter a password outside is eliminated with a reboot timer every morning.)
So for now, let's abandon convenience for security and reboot every morning.

matchboxbananasynergy

brook The thread has the "solved" tag because it was responded to. A workaround was provided so that you don't have to enter your password while you or anybody else is out in public, and the logic for keeping this setting was provided. We do not plan to change how this works at this time.

other8026

Someone creates an account to complain for 10 straight days about an upstream timer, doesn't engage with other threads, and has been constantly using misleading wording, accusing GrapheneOS for "forcing" users to do this or that, or having a "security" issue is all completely false.

The timer was added upstream. It's not a GrapheneOS feature.

Reboots aren't necessary to reset the timer. All you need to do is enter the primary unlock method once and the timer resets. 48 hours isn't that unreasonable.

As recently as April, it was decided that the timeout won't be removed.

Also, here are some quotes from matchbox's posts earlier:

matchboxbananasynergy We do not plan to change how this works at this time.

matchboxbananasynergy What needs to be understood for anybody who is claiming that this feature is useless, is actually an anti-feature etc. is that GrapheneOS has to be very careful with what we add, remove, or change for multiple reasons.

matchboxbananasynergy The other is that this forum does NOT represent anything remotely close to the majority of GrapheneOS users, and we cannot be persuaded by a loud minority to make changes before considering them.

matchboxbananasynergy A setting for this where the default behavior is the upstream one where users could adjust the timer or disable it if they choose is something that I could envision shipping at some point, but like I said, we have to prioritize. We cannot prioritize based on who causes the biggest fuss on the forum, but what will benefit all of our users the most.

There's also my massive post here other8026 where I make the argument that the timer can be considered to be an upstream security feature and link to the place where the maximum of 72 hours is set and the comment says:

Default and maximum timeout in milliseconds after which unlocking with weak auth times out, i.e. the user has to use a strong authentication method like password, PIN or pattern.

I'm not a developer for the project or a security expert, but I think given how AOSP developers talk about biometrics, it can be considered a security feature. It may seem redundant since GrapheneOS has auto reboot, which is 72 hours by default. But since the auto reboot timer resets for all unlocks, I would argue that the two timers complement each other, improving security.

It's understandable that the timer may be annoying to some people, but adding a toggle to optionally disable the timeout isn't likely to be a priority for the project. If the developers agree that it can be considered a security feature, they may further deprioritize or it would be even less likely to add a toggle at all.

I've locked the thread because I think everything that can be said has been said and OP has continued to use inaccurate wording making GrapheneOS look insecure because they simply don't like the timeout despite people calling them out for it, including myself. I or another moderator may choose to unlock it later.

matchboxbananasynergy

What needs to be understood for anybody who is claiming that this feature is useless, is actually an anti-feature etc. is that GrapheneOS has to be very careful with what we add, remove, or change for multiple reasons. One is maintenance cost of changing things, which is something we have to take into account for every monthly, quarterly and yearly port. The other is that this forum does NOT represent anything remotely close to the majority of GrapheneOS users, and we cannot be persuaded by a loud minority to make changes before considering them. We have hundreds of thousands of users to worry about, and a change to this would affect them all. It includes people who are at greater risk of forgetting their primary unlock method, and this feature helps with that. To degrade that over stock, we need to have a good reason, and we would need to consider it very well before implementing it.

Outright removing this is likely never going to happen, unless it happens upstream. Having a setting for this while having it off by default is also similarly unlikely to happen.

A setting for this where the default behavior is the upstream one where users could adjust the timer or disable it if they choose is something that I could envision shipping at some point, but like I said, we have to prioritize. We cannot prioritize based on who causes the biggest fuss on the forum, but what will benefit all of our users the most.

P.S. For the people who are saying "just don't use your phone"; you're not doing anybody any favors. Phones are a fundamental part of daily life for the vast majority of the population in the western world. Whether people can afford to enter their primary unlock in public is a different story, but telling them to delay using their phone after i.e. receiving a notification where they need to communicate with someone doesn't help and is quite frankly out of touch with reality. Entering your primary unlock method once every morning or before you go to bed, isn't.

brook

matchboxbananasynergy We have hundreds of thousands of users to worry about, and a change to this would affect them all. It includes people who are at greater risk of forgetting their primary unlock method, and this feature helps with that.

I completely agree with that. It's very unfortunate when something is changed or gets broken, something what you've been using and get used to. That's why I offer this timer to be optional, even ON by default. Like additional Toggle in Security settings, something like Disable 48-hour PIN/password requests. So that only people looking for settings would use it after manually turning it on.

Anyway, I am happy that I, as well as other users in this topic, was heard and kind of supported in your statement (if I got it right).
Of course, task priority should be up to the Team, but I'm glad that you kind of agreed that current upstream 48-hour timer can indeed be anti-feature, damaging security for some of us.

I hope it would be eventually solved in GrapheneOS. I do not care for google upstream.
If it does, please mention it in this topic, so we would be notified :)

faxe I use a privacy screen protector and pin scrambling to ensure shoulder surfing is less of a problem when unlocking my device in public and for the rare moments when I have to type out my password in public I have an separate keyboard with a custom "weird" layout installed to make it even more difficult to guess the password, should the camera footage ever be analyzed.

Wow, custom "weird" unlocking keyboard is a big deal, a lot of effort, interesting.

faxe

I have rarely experienced over the last 5 years that I had to enter my pw because of the 48h timer. I usually have set auto reboot to 4h to ensure the phone is in bfu when waking up, since that's usually when police knocks, should they someday get a search warrant. I secure my phone with a 8 word diceware passphrase and use fingerprint + 2FA PIN for convenience. I use a privacy screen protector and pin scrambling to ensure shoulder surfing is less of a problem when unlocking my device in public and for the rare moments when I have to type out my password in public I have an separate keyboard with a custom "weird" layout installed to make it even more difficult to guess the password, should the camera footage ever be analyzed.

privacyisconsent

faxe I secure my phone with a 8 word diceware passphrase and use fingerprint + 2FA PIN for convenience. I use a privacy screen protector and pin scrambling to ensure shoulder surfing is less of a problem when unlocking my device in public

Would you mind sharing the privacy screen protector provider you are using? Also, is this with a 9th generation Pixel?

« Previous Page Next Page »