Concerns about feature forcing user to use primary unlock method every 48 hours

DeletedUser313

Shouldn't the security timer be independent from the time zone?

userofgos

I rarely, if ever, come across the 48h window where I need to type in my passphrase/pin to reset the counter.

I have a habit of taking note of how long my phone has been powered on without a reboot by swiping down for quick access > click icon of active apps > look at how long my VPN has been active

I don't like to see that number be over 36-72 hours, if it has been, I reboot to BFU, and then unlock to AFU and go about my day.

I don't know why or when I started doing this, but it just comes natural now.

brook

DeletedUser370 Availability is a core pillar in digital security. Every introductory textbook in security will explain the importance of system availability and elaborate on it in more detail. Securing digital systems is pointless if legitimate users of the system cannot access it. Increasing the chances of availability is arguably even more important for systems where legitimate users store data that is important to them, which most of those users will want to access on a daily basis. If the data suddenly becomes unavailable to them some people can restore from backups, but a restore can be time-consuming. Consider how often most people use their mobile devices, which sensitive information they store on it, and how much they value timely access to that information.

I appreciate the idea support and participation in discussion. In this sentence I see no Security improvements for me. Forcing user to enter password is, in fact, bad in many cases, because entering password is always a dangerous moment: shoulder picking, cameras, or simply finger marks on letters if phone is snatched right after. Also, it is not convenient and forces users to use short or simple insecure passwords.

The same goes for ssh: it's better not to enter password if other way of authorization is secure. Google and we consider fingerprint to be secure enough (because we use it), and not because of the 48hours timeout. This 48hours timeout is completely not helping with phone being seized and forcefully unlocked with fingerprint during the next hour. Also if user would enter password each morning the reason of having such timeout is exactly zero from security point.

So, I see no security improvements so far, only SECURITY problems, that are provided and undeniable.

DeletedUser370 f I forget the password to my unencrypted Windows system disk, I can rescue it by inserting a Linux thumb drive and copy the files to another disk. Or pay someone to do this if I don't know how. If I forget the password to my Google Pixel device, I am screwed.

How come? If you forgot your Veracrypt password you are 100% screwed, no booting to liveusb would help you. In case of gadgets - just keep your password protected in keepass on laptop, and never suffer from 48h-random moment problems, nor completely security-useless and painful every-morning routine.

DeletedUser370 On another note. The reason for the pin amnesia prevention feature has been clearly explained to you. It has been explained why GrapheneOS is hesitant in removing that feature.

It is NOT secure feature, it's the opposite, right? It adds no security, so let's call it a "force-memorizing-feature-that-reduces-security", and in this case I would 100% agree, and still desire that "feature" to become optional, so that users would be able to use secure passwords and not suffer.

P.S. I like the notification timeout idea, like user would know, but not obliged to enter this passwords in a crowd or on camera. Good idea.

Lilac6044 For the vast majority of users this is a non-problem. With the current time pressures GOS developers have, I think their time is better suited to A16 porting and maintaining current security features.

I am sure that:

Vast majority of GrapheneOS users have to enter their passwords at kind-of-random moments due to this problem. And BECAUSE OF THAT they use 4 digits PINs. So, Android (and GrapheneOS currently) with this unsolved problem (insecure approach) forces users to have the worst possible encryption settings. Yes, the root of problem is google engineer, the same as it was with 8/16 char limits, but GrapheneOS can solve it for all its users at once.
Yes, people are not eager to complain because entering 1111 pin is tolerable to them. So, not many posts on forum. Why this pin? See #1.
Can you compare the difficulty of porting system to A16 and just adding a toggle in settings to disable this insecure timeout? My proposal is like 100 times easier to implement and 98% of users would benifit from it. Or 1000 times easier, one-day task for developer that knows this system, like Daniel Micay.

I am sorry for tone guys, I love GrapheneOS and expect it to be my primary mobile OS for a long time. It's just that current password situation seems to me ridiculous and insecure, that situation kind of boils my head and make me speak too harsh, than I probably should.

DeletedUser370

brook In this sentence I see no Security improvements for me.

But it is not about you. It is about the whole Android user base.

brook How come? If you forgot your Veracrypt password you are 100% screwed, no booting to liveusb would help you.

I made it clear that in a situation of forgetting my password to my Windows account, the actual system disk is unencrypted. A Windows account password usually doesn't encrypt disk contents.

Why are you talking about Veracrypt? Do you really believe that most people use Veracrypt? Or password managers? Or any disk encryption software that requires manual setup?

brook It is NOT secure feature, it's the opposite, right?

I see your point about the feature putting users who cannot hide their pin entry at risk. And I am inclined to agree that having the option to delay – but perhaps not disable – pin entry reminders would be a good feature. But your responses lack any kind of nuance. The feature clearly has properties that ticks several boxes regarding the concept of security. The fact that you personally don't see it as a security feature, and that you personally see it as threatening the sensitive data on your device, does not nullify any security aspect. You also haven't considered that a lot of people are able to hide their pin from shoulder surfers without problems.

On your argument about leaving finger marks. These marks are left everywhere on the screen. Do you have any empirical evidence that forensic examination of fingerprint marks have led to the discovery of someone's unlock credentials?

And on your repeated point about shoulder surfing. I suspect that a lot of people simply raise their phone so close to their face while entering their pin that the risk of someone looking at their screen is very improbable.

Again on your concern about someone examining your fingerprint marks. GrapheneOS has a PIN scrambling feature which you can enable.

brook Vast majority of GrapheneOS users have to enter their passwords at kind-of-random moments due to this problem. And BECAUSE OF THAT they use 4 digits PINs.

You seem so sure in this assertion that I think it's reasonable to ask you to provide evidence of it. In my view it's a very thin argument. Why would people reduce their pin from the recommended 6 digits to 4 digits? Because of time consumption? Because every 48 hours they will waste barely an extra second by having to press two extra digits?

brook Yes, people are not eager to complain because entering 1111 pin is tolerable to them. So, not many posts on forum. Why this pin? See #1.

Dismissing the fact that barely anyone is raising this topic on the forum appears as though you are not at all keen to consider the possibility that most people might not have a problem with the pin amnesia prevention feature. A lot of people frequently post complaints on this forum (in a similar style of writing that you seem to have adopted). "Not many posts on this forum": from my unhealthy amount of reading on this forum over nearly two years, I have never seen a single post about someone reducing their pin complexity because of the pin amnesia prevention feature.

brook Can you compare the difficulty of porting system to A16 and just adding a toggle in settings to disable this insecure timeout? My proposal is like 100 times easier to implement and 98% of users would benifit from it. Or 1000 times easier, one-day task for developer that knows this system, like Daniel Micay.

This discussion is becoming increasingly arrogant. Are you Daniel Micay? Are you a developer with familiarity with AOSP code? How do you know that this is a one-day task to implement and test across several devices?

brook make me speak too harsh, than I probably should.

This I definitely agree with.

But seems kind of strange that you still are not considering using a reminder app to remind you, given the alarm you express at the forced pin entry feature. I know that you don't consider it a solution, but at least it seems like a workaround that will clearly benefit you.

GrouchyGrape

brook you are jumping to some extreme claims with zero data to back it up. @DeletedUser370 has been extremely kind in taking time to respond politely and professionally. While some of us may agree that disabling or delaying this reminder makes sense, the majority of your arguments are objectively wrong.

I suggest you accept that you're taking this way too far and making a much bigger deal about something than there needs to be. Lick your wounds and move on. Life is far to short to be freaking out about a 48-hour password reminder...

brook

GrouchyGrape you are jumping to some extreme claims with zero data to back it up.

How come? Do the situations in the first topic have place for majority of users who uses GrapheneOS?
Am I the only one who uses phone in bus, subway, shops? I do not think so. Or riding/running?

I see no zero data, nor extreme claims. Maybe my usage is a bit different than average GrapheneOS user, but for me those reasons are 100% valid and well-explained by me above. And I am sure it's the same for a lot of people, too. Even some people in this topic.

TrustExecutor

It may be an issue but hey, when I need to enter sensitive information like a password/PIN in public I just deliberately hide the screen towards my body just like you have to do on a shop payment terminal or an ATM. You can still make it hard enough for an adversary to get your password by just hiding your phone by your hand in those rare cases you get 48h timeout triggered just when there are cameras or people around. It's not like it happens every time.

DeletedUser313

TrustExecutor

Might be quite difficult with a 16char password with symbols and you probably look more conspicuous doing it like that. The main issue is those security cameras which are getting smaller and more advanced every year. Areas with ATMS have tons of cameras in my experience

lynatic

TrustExecutor just when there are cameras or people around. It's not like it happens every time

what you say only holds true in most western societies but in countries like China, there are cameras virtually everywhere if you don't literally live in the fucking desert.

also holding your screen close to your body will at best deter a pocket thieve but not any kind of state actor that has specialists trained to reconstruct your password from your finger/hand movements

brook

TrustExecutor when I need to enter sensitive information like a password/PIN in public I just deliberately hide the screen towards my body just like you have to do on a shop payment terminal or an ATM.

Do you actually use password at all? The buttons are tiny, it's not easy to correctly type in the password even in comfortable situation, while entering it with this "hiding" technique of yours with cameras around, people sitting next to you, or riding a bike or in a full bus - it's very hard, if impossible.

The problem is why must I enter password in the first place, I have fingerprint set, the real timeout of unlocking is not reached (GrapheneOS one), but this defective 48h google timeout kicks in and creates problems with zero security improvements (actually negative effect).

TrustExecutor You can maybe code up a solution and submit a pull request if it is very important for you.

I am not advanced in this OS and building ecosystem to make it good and fast. But others are. I cannot be good at every field, so I make the world a better place by creating own open source projects or committing code to ones I can.

phospmph The 48 hours timer for falling back to primary unlock is a reasonable balance between security, convenience and usability.

How come?

Nobody argues that fingerprint is MUCH weaker that proper password. The problem is that 48h timer is not adding any security

1) criminal or police can force you to put finger within a smaller time,

2) the auto-reboot timer in case of unlock is better in any way, and you can set it to like 10 hours without suffering.

Also this 48h timer forces users to use short pins instead of long proper passwords, so it's not adding any security for any "balance".

DeletedUser299 I know press the power button, turn off the screen, put the phone in a pocket and do it later.. OMG security problem averted.

You received something, it can be SOS-sms or something important. If you do not need a phone during the day, it's you user-case, that does not fit others.

Blastoidea It looks to me as if he’s looking for an argument, rather than a workaround, which he’s been given.

The workaround is no good. User still have to enter password daily and it is:

annoying,
time and energy consuming,
pushes user to use shorter and weaker password,
HAS NO SENSE in the first place, because a simple toggle to disable this faulty 48h timer would allow users to avoid all this mess and improve security.

Isn't it correct?

DeletedUser495 one to improve their security has either a choice to remove themselves from such harmful environment or restrict their actions (i.e. pretend they don't have a phone).

So, you are in a shop full of cameras and you get an SMS. It can be urgent, you may have to reply fast. Are you offering people to drop all shopped items, go to parking lot, set in car, unlock the phone to check that it's a SMS with ads?

I think this approach is not practical for a lot of people.
Do you use password yourself?

Open_Source_Enjoyer If you hold the power button, a menu opens, in this menu you can click on "Lockdown" which forces password/pin entry

I know it, as I said before in this thread, I would like to be able to lockdown without using touchscreen, like iphones (supposedly).

Open_Source_Enjoyer I think knowing this solves the problem.

No, it instead adds different problems. It's a painful workaround that almost no usual users would use.
"Solving the problem" would be making this timeout optional, maybe even off by default for better security.

JustBeginnez When I attempted to use my Pixel while on the subway, the 48-hour timer prevented me from using fingerprint authentication, leaving me unable to use my phone on the train.

Perhaps the issue lies in GrapheneOS not offering an option to opt out of this feature, similar to Aegis Authentication.

Exactly. Aegis app is a good example, that I wanting to provide, which solved this issue way better than google devs.

JustBeginnez However, I understand the importance of the 48-hour timer function, so I’m willing to accept this minor inconvenience.

Can you please explain to me the importance of this timeout?
Let's say you have a proper GrapheneOS locked-reboot timeout set to like 10 hours, what is importance of this faulty 48h/random timeout?
Because I really see no security improvements at all. The only plus is that you have recall you password every 48 hours, but it does not add security, only lessens it.

@DeletedUser313 @lynatic @stick4611 and others, you are awesome guys, thank you for your support.

TrustExecutor

You can maybe code up a solution and submit a pull request if it is very important for you.

phospmph

Adding more information on fingerprint unlock discussion. People should be aware that they leave their fingerprints on basically every objects they touch. This allows attackers to record the fingerprint from many places (including the phone) and use it to spoof the biometrics unlock. According to the Android documentation (https://source.android.com/docs/security/features/biometric/measure), the Spoof Acceptance Rate (SAR) for the strongest biometric class is up to 7%. That means the chance of an attacker to unlock the device using a spoofed fingerprint can be as high as 30% in 5 attempts, implying that pure fingerprint is a not a strong unlock method. Even when looking at False Acceptance Rate (FAR), it is 1 in 50,000 which is much larger than a random 6-digit PIN (1 in 1,000,000). It is also noteworthy to see that the timer to fallback to primary unlock method (PIN/passphrase) is required to be shorter for weaker class of biometric unlock security.

Therefore, one can argue that fingerprint unlock is more of a convenience feature with minor benefit of avoiding shoulder surfing (this can be partially mitigated by using a privacy screen protector, scramble PIN layout etc), and using a random 6-digit PIN without fingerprint unlock is more secure than that with fingerprint unlock (based on https://nitter.net/GrapheneOS/status/1877207130911985756). The 48 hours timer for falling back to primary unlock is a reasonable balance between security, convenience and usability.

DeletedUser313

DeletedUser299

And while you're at it, toss the phone in the trash to avoid all security problems OMG security problems averted it's not like you ever need the phone indoors or outdoors, so just bin it

phospmph

You can always trigger alphanumeric password mode in a pinch but you can't undo people recording your pin on cam

DeletedUser299

So 48 hrs have elapsed and your device wants you to input your pin/password. Commuters to the left of you, commuters to the right, people looking over your shoulder, cameras all about, oh what a dilema... I know press the power button, turn off the screen, put the phone in a pocket and do it later.. OMG security problem averted.

Blastoidea

It looks to me as if he’s looking for an argument, rather than a workaround, which he’s been given.

DeletedUser495

lynatic if you are so sure that the risk of revealing your primary unlock method is so high that it goes against your objectives, common sense should tell you to not attempt to unlock your device and leave it for later when the risk lowers. Your security is not only defined by the environmental conditions but also by your actions.

DeletedUser495

lynatic reconstruct your password from your finger/hand movements

https://grapheneos.org/features#pin-scrambling

DeletedUser313

DeletedUser495

I mean it's not as though 'common sense' dictates that there are times when we have to make an urgent message or a call, or whatever a phone is supposed to do in 2025. Just don't use it at all, throw it in the trash so we have no security issues to worry about. Our security is defined by our actions after all

I suppose to some people, those who use phones at the ATM are just playing Raid Shadow Legends, live-streaming themselves entering the PIN of their bank card or watching cooking videos

DeletedUser313

DeletedUser495

Does this only work on 6 digit PINs or also alphanumeric passwords?

DeletedUser495

DeletedUser313 I guess you know the answer, nevertheless it is a useful feature. It is better to think constructively.

DeletedUser313

DeletedUser495

No, it was not a rhetorical question, and speaking of 'thinking constructively' you and the other user might've done better by not assuming that users lack common sense. A little bit of critical thinking might have revealed why a phone might need to be used urgently and why telling them to just not use it is a ridiculous idea. It is frankly quite condescending and not constructive. Besides, even if PIN scrambling is enabled, if one uses it every day it would be just as as secure as a fingerprint or even less so. I often travel to areas with cameras everywhere, under buildings, in lifts, at traffic junctions, at bus stops, at train stations. It's only a matter of time before it gets fully revealed

DeletedUser495

DeletedUser313 one to improve their security has either a choice to remove themselves from such harmful environment or restrict their actions (i.e. pretend they don't have a phone). There is a difference between stubbornness and perseverance, especially when in comes to persevering in being stubborn. That hasn't yet helped anybody. Look for solutions, not just obstacles preventing you from finding them.

« Previous Page Next Page »