My new strategy to keep my GrapheneOS phone secure from bruteforce and shoulder surfing attacks

Been using a PIN for primary unlock and fingerprint + PIN for secondary unlock for a few days. At least for me, this is kind of confusing and results in poor OPSEC.

I kind of get confused between those two PINs, and my brain also treats them equally as important, which I don’t want.

I decided to go with this setup instead:

A two-word diceware passphrase for primary unlock and a fingerprint + PIN for secondary unlock. Basically, if I need to type a passphrase, I should be aware of my surroundings and that nobody can capture my passphrase, but for a fingerprint + PIN, it doesn’t matter because an attacker would need both my fingerprint and the PIN, and they only have 5 attempts before my phone falls back to the primary unlock.

I believe that this setup gives the best balance between security and convenience for 99.99% of people who don’t need to worry about their adversaries having the ability to bypass Weaver throttling.

This makes sense and is also what i thought was the recommended way.

Everywhere I looked, the recommended way is overkill, it suggests a seven or even eight word passphrase, which only makes sense for extreme threat model individuals.

Two word passphrase is pretty much as strong as an 8 digit PIN and is more than enough for most people.

We actually agree on something here I have borrowed a Pixel form one of my friends for testing and I can confirm it’s working excellently especially since I don’t use my fingerprint