Lock screen security

Sven

I have both fingerprint and scrambled PIN set up to unlock my Pixel 7. Is it possible to set it up so I "must" use both the fingerprint and the PIN to unlock it?

kopolee11

Check out the two-factor fingerprint unlock feature.

https://grapheneos.org/features#two-factor-fingerprint-unlock

Sven

kopolee11 Thank you. I had that set up. However you can bypass the fingerprint authorisation by just swiping then entering the PIN. Do you know if you can set it so that you can't bypass it?

KleinesSinchen

Fingerprint unlock can fail any time. Wet fingers. Working with cement. Injured finger… There are enough reasons for having an unlock method which works without biometrics at any time.

However, you can achieve resistance against shoulder surfing. Just set a long passphrase as primary unlock method in conjunction with 2FA fingerprint+PIN as secondary unlock.
Entering the passphrase once in two days is enough.

Sven

KleinesSinchen How do you set up the 2FA after the passphrase?

Murcielago

Sven

How do you set up the 2FA after the passphrase?

I guess what KleinesSinchen was trying to explain by saying

Just set a long passphrase as primary unlock method in conjunction with 2FA fingerprint+PIN as secondary unlock.

is that you have a primary unlock method (strong password) and 2-factor fingerprint unlock (which is fingerprint (first factor) + PIN (second factor) making it 2FA) set up.

It gives users the chance to set up a strong (diceware) passphrase as the primary unlock method and two-factor fingerprint unlock (fingerprint+PIN) as secondary unlock method.

source: https://grapheneos.org/features#two-factor-fingerprint-unlock

userofgos

Sven Instead of choosing PIN for your lock method, choose Password.

Sven

userofgos I did. I was not prompted to follow the 2FA after that.

userofgos

Sven I think you're misunderstanding how it works. See: https://grapheneos.org/features#two-factor-fingerprint-unlock (emphasize added)

GrapheneOS adds the option to require entering a 2nd factor PIN after successfully authenticating with a fingerprint on the lockscreen in order to complete unlocking the device. Since Android/iOS use biometric unlock as a secondary unlock mechanism for convenience, this allows users to make use of a strong passphrase as their primary unlock method with the convenience of a fingerprint and short PIN for secondary unlock. Failure to enter the correct PIN counts towards the standard attempt limit.

The Passphrase is your PRIMARY unlock method which is required to input every 48 hours. Fingerprint only, or Fingerprint + 2FA is only available as a SECONDARY unlock method and cannot be enforced as the only unlock method.

Example:

Power on phone
Phone is now BFU (before first unlock)
Enter Primary unlock method (passphrase or pin)
Phone is now AFU (after first unlock)
Lock screen
Secondary unlock method is now available (Fingerprint only, or Fingerprint + 2FA) - becomes unavailable after 5 failed attempts and defaults to Primary unlock
By design, even in AFU, you can swipe up from Lock screen to enter your Primary unlock

Sven

userofgos Z

userofgos Maybe so, but I find the GOS text vague and lacking in detail.
You've explained it in better detail though which I thank you for.
Do you have a link which advises how to set up as per your advice?

Novalissoide

Is this a reasonable interpretation of yours policy
@Murcielago & @userofgos
-- that you employ long & strong primary passwords. Is this out of concerns about the secure element? The project seems open to both stances;

GrapheneOS supports setting longer passwords by default: 128 characters instead of 16 characters. ----
This feature allows users to make use of diceware passwords if they don't want to depend on the security of the secure element which provides very aggressive throttling and offers a high level of security even for a random 6 digit PIN.

Is it correct to state that the choice between a 6 digit Pin, and a 48 character password comes down to each and every single user trusting or not trusting the security element?

Murcielago

Novalissoide

Is this a reasonable interpretation of yours policy
@Murcielago & @userofgos
-- that you employ long & strong primary passwords. Is this out of concerns about the secure element?

Since I am not an expert regarding your question, I too rely on the knowledge of those who are, and I would rather quote them than give my own two cents (and I obviously don't claim to speak for @userofgos ):

Our recommendation is to choose whether or not you want to rely on the secure element throttling (Weaver) and then proceed based on your decision.
[...]
Random 6 digit PIN is a baseline where you depend entirely on Weaver for security. Random passphrase can have enough entropy to be secure even without the hardware features. It should have at least around 90 bit entropy to be secure against any attacker.
[...]
Please bear in mind that the passphrase is turned into a key via scrypt key derivation and then further key derivation is done with other inputs including the random Weaver token. The final phase is hardware-bound key derivation. If an attacker can exploit the secure element (exploiting the bootloader does not help), they can bypass the Weaver throttling. If an attacker can extract the key from the SoC, they can perform the final key derivation on a server farm instead of only on the device. They still need to run the key derivation algorithms. Your passphrase is not used as a key but rather is the most important input for deriving the key encryption key used to encrypt a random disk encryption key.

7 random diceware words or 18 random lowercase letters / numbers are both slightly above 90 bit entropy. If you want to completely avoid depending on hardware, that's the baseline for what you should use. You don't need 128 bits of entropy for a random passphrase to be secure against any attacker, but you may want more than 90 bits. 128 bits is an extreme overkill value used to design encryption algorithms. Part of the reason for using an extreme overkill value is in case there are partial breaks of the algorithms reducing their security, which is not relevant to a random passphrase used as input for key derivation.

source: https://discuss.grapheneos.org/d/4049-security-from-bruteforce/66

Novalissoide

Murcielago Thank you so much for this. It's been nagging me, and it got a bit clearer now.

userofgos

Sven Do you have a link which advises how to set up as per your advice?

So in other words, you are still confused about this setup? It is already covered in the link I provided (though not explicitly step by step).

Step 1: Open Settings > Security and privacy > Device unlock > Screen lock > Password > input password (for best security follow the recommendation from GrapheneOS that was quoted by Murcielago)

Step 2: Open Settings > Security and privacy > Device unlock > Screen lock > Fingerprint > setup fingerprint > then go to Second factor PIN > input 6 digit pin

Sven

userofgos Not at all, there's just a lack of clear instruction. I'd like to know where you got the steps from to save me asking in future. I thank you for your help.

userofgos

Sven There's documentation on Google's support site: https://support.google.com/pixelphone/answer/2819522?hl=en

Sure it doesn't contain Step 2b (setting up a 2FA PIN with Fingerprint), but the documentation linked above points you in the right direction if you read further in the "More locks" section which links to: https://support.google.com/pixelphone/answer/6285273.

It's also the first thing the setup wizard asks you to do when you first setup any Google Certified Device as well as any AOSP based OS like GrapheneOS.

I don't think GrapheneOS should be expected to provide this documentation on their website if it's already documented elsewhere.

Sven

userofgos Thank you. I agree with your comment at the end. In future I'll look st Google's documentation should I get stuck again.