Latest release of GrapheneOS finally shipped the long awaited duress PIN/password implementation. If you have a spare device, we recommend trying it out.

We’ve added initial documentation to the features page:

https://grapheneos.org/features#duress

It near instantly wipes and shuts down.

We’ve also finally added documentation on our USB-C port control to our features page:

https://grapheneos.org/features#usb-c-port-control

Most users can set this to “Charging-only when locked” without a loss of functionality or even “Charging-only” if you don’t use USB accessories, DisplayPort or MTP.

Default is “Charging-only when locked, except before first unlock” to avoid locking users out of devices with a broken touchscreen. The main threat model for this is defending the device until the auto-reboot timer started when the screen is locked gets user data back at rest.

Our upcoming 2-factor fingerprint unlock will make using a strong passphrase as primary unlock method practical via fingerprint+PIN secondary unlock instead of fingerprint-only. Great for people who want to avoid relying on secure element throttling but don’t want fp-only unlock.

  • hash
    link
    English
    57 months ago

    The pin+fingerprint is super intriguing and exactly what I’ve been wanting for a while. I am curious about the range of options though. Could you use a pattern with fingerprint? Also, could you have a duress pin+fingerprint in addition to a duress password?

    • @[email protected]
      link
      fedilink
      English
      17 months ago

      Use the duress pin feature along with Phone Lock app, which disables biometric login for next unlock on sudden gyro movement shock. Thus, enteing into pin/password only mode, where duress feature can be used easily.

      • @[email protected]OPM
        link
        fedilink
        English
        27 months ago

        Last time I checked, that app uses accessibility services, which are not recommended by the GOS project. As accessibility services greatly increases attack surface if any app using these services are compromised.

    • @[email protected]
      link
      fedilink
      English
      17 months ago

      Also, could you have a duress pin+fingerprint in addition to a duress password?

      If I read the release notes correctly, I think that’s the case. The Duress mode requires setting both a Duress pin and a Duress password, (I think it’s) so that no matter the current sign in options, Duress mode is still available.

    • @[email protected]OPM
      link
      fedilink
      English
      17 months ago

      Also, could you have a duress pin+fingerprint in addition to a duress password?

      They are planning to have a second unlock method for After First Unlock in the future.