Good Day fellow Graphene Users,

I have an urgent request of information due to security reasons, which is:

I have an quite insanely secure passphrase which is inputted in my device around 20 times each day. I do this as my threat level is fairly high. I would like to receive information regarding about the Fingerprint Unlock. Since I am using a long passphrase which is needed on every reboot as I am aware its like full disk encryption password. So if I enable the fingerprint unlock option along with my long passphrase. Is the fingerprint unlock option a secure method than.

If my device is powered off and then taken for forensics would that fingerprint unlock be insecure than? Would it be any risk for me if my device was powered off and thus requiring my long passphrase. Can they someone reactivate the fingerprint unlock somehow even after being powered off and thus allowing the device to be unlocked with fingerprint? My threat level is fairly high however I use autoreboot after 10 minutes of inactivity just to be sure incase I am caught offguard. My concern of the matter is that my long passphrase I have to type in like 20 times each day and I go outside alot and to public places as well as eat lunch & dinner at restaurants that have CCTV so I feel as if the fingerprint unlock would be much safer method to unlock as for someone seeing my passphrase when im out in public. I would like information regarding the fingerprint unlock being somehow reactivated after reboot without the password first being typed in is it possible that the police for say can reactivate it somehow after reboot and force my finger on the screen as such? This has been my biggest concern with the fingerprint unlock. I am scared of my passphrase being recorded in public as so many CCTV have been installed everywhere. I think fingerprint unlock may be ok.

Device is Pixel 7 Pro

I think the reason why some (many?) people consider fingerprint unlocking unsafe is because there is a very simple way around it: people can simply force you to put your finger in the sensor. You have to balance that against the threat of having your passphrase figured out by cameras, likely more than the possibility of it being broken under forensics.

But you can have a bit of both worlds: set your main profile with fingerprint unlock and with enough stuff for some basic daily needs, and leave your more private activities in a profile that can only be opened with a passphrase, a profile that you wont open in public anyway.

Finger print unlock is not used for first unlock after reboot. So if you set your auto reboot fairly short this will mitigate some of the downsides to fingerprint unlock. There are other mitigation steps as mentioned using user profiles . secondary user profiles are only accessible after unlocking owner profile after a reboot. One other thing to consider is inputting your password in public can be viewed and possibly recorded this is where fingerprint unlock comes in handy.

I don't use fingerprint because I am worried about it getting stored in some (public) database due to a security breach or bug. If that's not your concern, I don't see many reasons not to use one. You have a quick shortcut to lockdown mode and even shutdown while locked (long press power button). So your threat model would have to include "someone forcing my finger on the sensor but I didn't have time to access one of the shortcuts in advance".

But recording the pin/passcode in public is a risk for sure. Pin scrambling and a privacy screen can mitigate this to some extent. Using multiple profiles like Hb1hf suggested is a great idea as well.

Edit: Added information.

Cheers lads thanks for the info. The long passphrase is on me Owner Profile I am on the quarry about putting the fingerprint unlock for this profile as the passphrase is long and uniquely and having to type it in 20 and more times each day. Question on it is there any way for law enforcement or gov agency to enable the fingerprint unlock after the device is rebooted or shutdown. Can they somehow enable the fingerprint unlock after rebooting it and thus not requiring the passphrase?