GrapheneOS has a nice feature where you can use both the fingerprint and a short passcode to avoid having to type out your longer/more valuable password all the time. Seems like a good solution to the problem.
Also, iirc iphones have this feature where if you appear to be under duress, it will refuse to unlock and disable face id. Is this true?
Graphene also has a kind of workaround to add fingerprint duress:
>GrapheneOS improves the security of the fingerprint unlock feature by only permitting 5 total attempts rather than implementing a 30 second delay between every 5 failed attempts with a total of 20 attempts. This doesn't just reduce the number of potential attempts but also makes it easy to disable fingerprint unlock by intentionally failing to unlock 5 times with a different finger.
The first phone I used with Graphene was a Pixel 4XL. It didn't come with a fingerprint sensor. If I remember correctly, the longest lockout period was still really short, like 5 mins or something. It was rather annoying to constantly have to put in your unlock code when you wanted to use or check something on the phone.
Loved Graphene, and the Pixel worked flawlessly, but man, that unlock thing drove me nuts more than a few times.
Though with all the devices GrapheneOS supports, there are only two fingers you can plausibly use with the device: the thumb, usually on your dominant hand. It is quite awkward to be using anything else.
> Also, iirc iphones have this feature where if you appear to be under duress, it will refuse to unlock and disable face id. Is this true?
heh it would suck to be beaten with a wrench to unlock your phone and, finally, to make it stop you relent but then the phone is like "nope, sorry. if you're gonna be dumb you gotta be tough".
If you’re worried about wrench attacks then you’re already in a situation where encryption won’t help you. They may beat you anyway if they don’t find what they’re looking for on the phone, or they may just kill you for being a nuisance to power.
Also, iirc iphones have this feature where if you appear to be under duress, it will refuse to unlock and disable face id. Is this true?
Sort of: if you hold the buttons on both sides of the phone for about three seconds, it will bring up the Power Off/SOS screen. You do not need to interact with that screen, just display it. Easy-peasy, you can do it with the phone in your pocket. Once that screen is displayed, it requires a passcode to unlock the phone. The courts have determined that the passcode is protected by the 5th Amendment, but biometrics are not.
It would be useful imho if an option was available for the phone to automatically enter this mode if separated for more than X seconds from a paired watch or airtag, or with sufficient vibration/acceleration (throw or stomp it). Similar adversarial defense as the phone rebooting after three days [1]. Perhaps part of Advanced Data Protection.
Not legal advice. Having a trusted contact remotely wipe the device is also a potential option with appropriate iCloud creds and a message passed [2], assuming the device is not powered down or kept in a physical location blocking internet/cellular channels.
Given that my Apple Watch throws alerts when I leave a device behind (“mikestew’s iPhone was left behind at $PLACE”), it would be just one more step to flip that “no biometrics” bit. I’m assuming that those APIs are not available to 3rd party devs, so I can’t write my own.
GrapheneOS by default autoreboots after 18 hours. You can reduce it much further, to as little as 10 minutes. This deletes the keys from memory and prevents a whole range of AFU attacks that sometimes happens.
The iPhone has never had such a feature _exactly_.
However on iPhones that have the Emergency SOS feature biometry is disabled until you enter your passphrase/code when that feature is invoked.
Biometry is also disabled until re-authentication if you invoke the shutdown menu by holding the power/power+volume up button.
Neither of those will get you to the Before First Unlock state, however. That is the ideal if you are attempting to protect access to your phone’s data in any adversarial scenario. You must restart/shut down the phone to get back to that.
Same applies to iPads.
There may be vulnerabilities, of course. In Before First Unlock there is not enough cryptographic material available in memory to decrypt application data. The full set of keying material is both user and device specific.
I don't think any rational discussion about privacy can be had without first describing exactly what your definition of "privacy" is in this specific context, AND you must define a threat model. Otherwise we can't know if the vendor is even relevant to what they care about.
Privacy from what? From a determined government and court system? Nothing is going to keep you private from that. From your peers and family? Apple and Google keep you private in that regard. As for the world of privacy in between those extremes: it depends.
> From a determined government and court system? Nothing is going to keep you private from that
While there's always https://xkcd.com/538/ there are not currently quantum computers that can factor 4k RSA keys, so the court can order whatever it wants, unless they have a way past that (which may involve variations of xkcd 538), they ain't getting shit out of a properly configured digital safe. (construction of said safe is left as an exercise to the reader.)
Most of us (reporters included) aren't protecting anything with their life, not just because of a survival instinct, but because what we're protecting isn't actually worth that much.
For the relative handful who are custodians of that sort of data, history suggests a smaller minority than they'd like to admit have a readily achievable breaking point. The true believers who are left then are a minority that's hardly impossible to track and subvert through attacks that don't involve decryption on a device.
The point of that XKCD wasn't to be THE SINGULAR EXAMPLE, it's sort of a Zen Koan for people who only think in terms of technical risks and solutions.
It's not quite settled whether the FBI is able to demand you to decrypt data for now. If this becomes widespread enough, they might try to get SCOTUS to decide this, which may or may not end privacy once and for all.
Cannot you then be charged for interfering with the investigation or deleting evidences? It’s not like law enforcement will be “damn, we’ve been outsmarted, let’s move on”
(To be clear I’m not in support of anything close to the current state of affairs and wish we had way stronger privacy rights even in the case of police investigations)
My fingerprints regularly fail to get recognized, across multiple scanners. If you can be charged for doing it "accidentally on purpose", then I can be charged for doing it even if I were innocent.
A better strategy would be to configure multiple profiles and when they ask you to unlock your phone you use the pin that unlocks the boring one.
We just need a UX which makes it impossible to know how many profiles a phone has configured. Not some kind of sneaky hidden mode that you can be labeled a terrorist for having enabled, just that's how it works--you have to know a profile exists in order to log into it.
Of course it's not going to stand up to forensic scrutiny, but that's not what the feature is about anyhow.
For an organization, a better strategy is to never store anything of value on the phone, and have a remote server in a safe place. The phone acts as a thin client to access server. The key in turn is easy to hide in a plausibly-deniable way or simply memorized. The server can also revoke the key, rendering it useless even if it is revealed at a later date.
This is famously used by Uber to protect their systems from the French police, for instance.
without exception, bio metrics should be in-addition-to a password, never the only method. just because it's constantly sold as a convenience alternative, doesn't make it right.
Also, iirc iphones have this feature where if you appear to be under duress, it will refuse to unlock and disable face id. Is this true?