Feature Request: "Stealth pin"

kellerbeing

I'd like to propose the addition of a flexible PIN entry feature with seperate, customizable "input length" and "PIN length" settings in GrapheneOS to enhance pin security and protect against shoulder surfing.

Currently GrapheneOS requires users to input the full PIN to unlock the device. However, this feature would allow users to set:

• Input Length: The length of the input required for device unlock.
• PIN Length: The length of their actual PIN.

For example, if my 4-digit PIN is "1234," with this feature:

• Setting "Input Length" to 8 and "PIN Length" to 4 would allow unlocking by entering "56781234" or "12345678"
• Adjusting "Input Length" to 6 while keeping "PIN Length" at 4 would enable unlocking with "912347" since it contains the correct 4-digit sequence "1234"
• Now, with "Input Length" at 10 and "PIN Length" at 6, you could unlock the device by entering "9761234568" as it still includes the correct 6-digit PIN "123456"

While PIN scrambling is nice at a distance, this feature could "hide" the PIN reasonably well even from someone watching you directly unlocking your phone.

Whaddaya think?

Oggyo

kellerbeing For example, if my 4-digit PIN is "1234," with this feature:

• Setting "Input Length" to 8 and "PIN Length" to 4 would allow unlocking by entering "56781234" or "12345678"

Hmmm, but does this decrease the security? I mean you will have more than one valid PIN that can unlock the phone.

[deleted]

This isn't the place for feature requests. GitHub is. I recommend looking at the GrapheneOS issue tracker before posting a feature request to ensure you're not making a duplicate request.

kellerbeing

Got you! Apologies, I'll head over there to make a formal feature request, in case something like this hasn't been proposed yet. Still, I think this post could serve to discuss pros and potential cons. (if there are any that I'm not thinking of)

[deleted]

kellerbeing Wouldn't they still be able to unlock your device by entering the pin they saw you enter anyway, even if they don't know what the actual pin is? What would the benefit be if this wouldn't stop them from being able to unlock the device by just entering the longer pin they saw you enter while they were watching? Or am I missing some key piece?

kellerbeing

[deleted] Sorry for the screwed reply, didn't realize that "editing" a post only added text. Here as a legible reply: True, though this could potentially be mitigated by either randomizing "input length" (thus the onlooker wouldn't know with certainty which sequence would be required) or by blocking the previous "correct" string after entry (for any given amount of time or amount of repeat entries), no?

kellerbeing

True, though this could potentially be mitigated by either randomizing "input length" (thus the onlooker wouldn't know with certainty which sequence would be requireTrue, though this could potentially be mitigated by either randomizing "input length" (thus the onlooker wouldn't know with certainty which sequence would be required) or by blocking the previous "correct" string after entry (for anyTrue, though this could potentially be mitigated by either randomizing "input length" (thus the onlooker wouldn't know with certainty which sequence would be required) or by blocking the previous "correct" string after entry (for any given amount of time or amount of repeat entries), no?

Beyond that, even at a base level it would still provide increased security by forcing the onlooker to memorize a longer string, thus in essence making a "long PIN" (i.e. 6, 8, 10 or more digits) the default while only having to memorize a shorter pin as a user.d) or by blocking the previous "correct" string after entry (for any given amount of time or amount of repeat entries), no? given amount of time or amount of repeat entries), no?

de0u

kellerbeing It may be useful to state a threat model.

If one is concerned about nearby people but not video cameras, then the possible difficulty of people quickly memorizing a long string is relevant (though some people may be good at that).

But if somebody can play back video of a few unlocks a common substring will stand out.

kellerbeing

de0u This is true. However this weakness is inherent to PINs in general as a means of authentication, and I would still maintain that this feature would increase relative security. And against video surveillance I could see reasonable protection if coupled with the existing PIN scrambling feature, because cameras couldn't just replicate patterns, but would require the fidelity to actually make out the displayed digits during login. (realistic threat if subjected to targeted surveillance, less so if captured on CCTV)

kellerbeing

Oggyo Probabilistically yes, if brute force attack is a threat, though if input limits were set I would see a likely security gain on balance. But yes, of course relative gains and losses in security would be threat model-dependent.