2-factor fingerprint unlock + 80% charging limit features coming to GrapheneOS

UPDATE STATUS: RELEASE 2024123000 NOW AVAILABLE IN STABLE CHANNEL

GrapheneOS has officially announced that 2-factor fingerprint unlock is fully implemented and coming to the next release of GrapheneOS. X or X Cancelled.

Massive respect to the team for their incredibly hard work. This huge update is a fantastic way to end a great year of GrapheneOS development. I can’t wait for what they have in store for next year.

Other features including:

  • 80% charging limit with bypass charging
  • Allow disabling DCL via Storage by default
  • Increasing threads for pre-compilation of apps (reason why updates take longer on GrapheneOS)
  • Much more, full patch notes below
22 Likes

Truly awesome. This feature could make a lot of difference for those who need it.

8 Likes

I have been waiting for the implementation of this type of feature since I started using GrapheneOS.

Great.

Finally!

The release (2024123000) is now available in the Stable channel.

Just asking for fun (votes are public), who intends to enable 2-factor fingerprint unlock?

  • Two-factor fingerprint unlock
  • Single-factor fingerprint unlock
  • Fingerprint unlock isn’t for me
0 voters
1 Like

Been looking forward to this one so I’ll try it out. Time will tell how bothersome I’ll find it.

This is now in stable.

I must say, this feature is suprisingly not cumbersome. The fingerprint unlock is super fast, ans then the PIN menu just appears and you can type and unlock.

The extra step is vert great for security, yet it adds negligible time vs just a PIN.

BTW, you don’t have to enable a duress password for this feature. If you don’t, then you will have just a PIN on BFU and a PIN + FP on AFU.

Note that the BFU and AFU pin can be different. Personnally, I have just set the same, but for extra security you might want an extra secure BFU pin (that no one could ever see).

1 Like

I completely agree. I’ve been using it since the initial alpha release, and I’m pleasantly surprised with how good the UI/UX is.


I’m a little confused by the rest of what you mean here.

This feature doesn’t really have much to do with the duress password / PIN feature. The intended use case is:

  • Primary unlock method: a strong diceware passphrase

    • 7-8 words to avoid depending on secure element throttling
    • must be used every 48 hours and in BFU
    • supports duress password entry to wipe device
  • Secondary unlock method: fingerprint + PIN

    • minimum 4 digits, ideally 6+ digit PIN
    • only available in AFU
    • ideal for use in public to prevent shoulder surfing attacks + being compelled to scan fingerprint
    • more convenient for regular use
    • supports duress PIN entry to wipe device

The primary unlock method can always be used rather than the secondary unlock method if desired. Therefore, using the same PIN for the primary unlock method undermines the additional security of the two-factor fingerprint unlock.

1 Like

You are right, but at the same time rebooting a phone will be pretty dumb for someone who steal your phone as this will make it much much harder to unlock than in AFU (as a general rule).

I am not concerned about advanced attackers. But I might add a stronger BFU pin if I feel confident I will not forget it (which is though cause I would rarely input it).

Personally I have realised that in the CIA principle (Confidentiality, Integrity, Accessibility) the A is as much if not more important than the C.
.

I think I see the misunderstanding. You are aware that the primary unlock method (what you are calling the BFU PIN) can still be used in AFU? You just swipe without verifying your fingerprint and you will be prompted to enter the primary unlock method PIN / passphrase.

1 Like

Oh, I didn’t knew that :grimacing:.

Thanks for letting me know.

1 Like

honestly with the recent screen protector I applied. I am honestly more interested in the 80% charge + bypass charging. This will be great to start having healthier battery, They really were lacking these options so.

To be fair it was also lacking on stock. It was only added a month ago with Android 15 QPR1.

I’m impressed with the quick implementation by GrapheneOS. I completely agree that it’s a must have feature, especially for devices that are supposed to last 7 years.

1 Like

I wonder how many users plan to use the 2-factor fingerprint unlock on all their profiles or just their daily driver profile.

I am leaning towards just the owner profile using the 2 factor, and sticking with a PIN or Password with the others.

The underrated thing of this new feature, is that even if someone is shoulder-surfing you, this will not be enough to unlock your phone.

Also, I think we forgot that LE and threat actors can look at CCTV footage of us unlocking phone and this is enough to unlock the phone. Not anymore.

3 Likes

Are there any other useful features added in last few months that are good to turn on? I’m not sure if i’ve missed some useful update features or not.

I don’t doubt that this might be possible but, is there any real world examples of this type of technique being used?

Can’t enjoy 2-factor FP unlock on my P8 with privacy screen filter :melting_face:

All P9 users should definitely utilise though.

It did happen, Source, please utilise translation tool of your choice.

Translation of the relevant paragraph as follows:

The defense argued earlier that the text and voice communications of the fifth defendant’s mobile phone were captured and presented to the court, while police officers testified that the defendant took the initiative to show the unlock code. The defendant gave evidence on the dispute on Wednesday, saying that he had never been asked by the police about the method of unlocking the phone. He also claimed that he was allowed to reply to messages after his arrest, during which time the police took his phone. Upon questioning by the defense, the defendant confirmed that the unlocking of his phone had been captured on closed-circuit television (CCTV).

Cool.

I do find the source a bit confusing. It also makes it seem like the police just snatched the phone after it was already unlocked.

As Police Constable 8595 indicated that he could answer the call, the Defendant opened the communication software of his cellular phone in order to check the message, but he was stopped by a Sergeant, who took away the phone to listen to the recorded message between the Defendant and his mother (i.e. the 6th Defendant). The Defendant was then instructed to open the CCTV program in his cell phone, and the police officer never asked for the password during the whole process.

Translated with DeepL.com (free version)