Phone must automatically lock quite quickly, otherwise somebody quick just grab it after you have unlocked it. This means the password needs to be typed in constantly if you are frequently picking up the phone. Also you often want to grab the phone with one hand, so you need to be able to type the password with one hand. Combine that with the frequent typing and you probably come to conclusion that you can't have a proper, secure passphrase. Instead you resort to pin code of some length. Now remember that you need to be typing the pin code constantly to unlock the phone. With one hand operation there's little you can do to protect yourself against shoulder surfing. This means you pin code is not that private.
Iris scanning or fingerprints are easy for determined attacker, but I would say they are hard for somebody who just grabs your phone. Vice versa for the pin code.
I think a good balance between security and usability would be to allow fingerprint or iris scan when the phone has been constantly in my proximity but require a pin (password) if the phone is taken away. The proximity could be determined for example by pairing the phone with smart watch.
An encrypted NFC or Bluetooth bracelet, one sold with or separately to a phone would be nice. Pings it every so often. If it can't find it, automatically self locks. If it can't find for for X number of days and a password hasn't been entered in that time then it wipes || locks the phone.
Should be significantly more secure than Mifare though. Ideally something like a contactless OpenGPG card or similar.
Recently I searched for passive NFC ICs that'd be suitable for implementing that, but came up empty. Usecase was exactly that: A NFC device located at about the wrist. My laptop has a NFC reader at just the right place of the handrest to read it. And I'd probably transplant a NFC reader into my desktop computer's keyboard for the same purpose.
Just had an idea, maybe not the wrist for mobile devices, maybe a ring that is always on the hand that is on the back of the phone. I don't know, but I can't help but think of how things can be more secure and that there is a market for those with security in mind.
Just found this also in my search while typing this comment.
I don't like rings (you put on your fingers). But that's just a personal preference. I'd be okay with wristbands though. Yes, the proximity to smartphone NFC readers would be a benefit of a ring.
Quoting GP: I think a good balance between security and usability would be to allow fingerprint or iris scan when the phone has been constantly in my proximity but require a pin (password) if the phone is taken away. The proximity could be determined for example by pairing the phone with smart watch.
When combined with a fingerprint sensor, smart lock keeps the device completely unlocked while "triggered" (by being on-body, or close to a trusted BT device, etc), and the fingerprint unlocks it while not triggered. It doesn't ever escalate to requiring the pin/password/pattern. Please correct me if I'm wrong, because I'd like to be.
My solution is to use the "Screen off and Lock" app[1]. It acts as a local Device Administrator to be able to force a password unlock. I added the widget to my home-screen where I can actually lock my phone if needed (leaving it somewhere for a period), and I can use the fingerprint the rest of the time.
Definitely not a perfect system. I wish that I could set timeouts and map the power button to do an admin lock. Also, having to use a 3rd party app for this is quite likely its own threat vector.
Yeah, the Smart Lock functionality doesn't really support configuring your own primary-vs-fallback behavior.
I'd love to have features where the fingerprint is only good enough under certain circumstances, such when the phone hasn't been idle for too long, or when combined with an RFID tag.
You're not wrong. I use smart lock and fingerprint on my 5x. I actually would prefer it to require fingerprint when near my watch with password fallback, and require fingerprint+password when away from my watch, but that isn't currently a possible configuration as far as I can tell.
The password model on Google's version of Android and iOS (as examples) is not biometric based. You need the password every few hours (at least on Android, not sure about iOS) and whenever you restart. The biometric is a keep alive for that "session". For my threat model, that's sufficient. For many, that is sufficient. For some, it absolutely is not and they should disable biometrics entirely. .
Fingerprints and iris scans are not equivalent to a username or email, since the username and email can be changed easily. Proper biometric data cannot be changed, it is tied to the individual. So when the data is compromised and published in the wild and the devices can be fooled with it (which will always be possible), then the user of biometric recognition devices can become the victim of identity theft for the rest of their life.
Exactly this. We need the big 4 to start pushing this as a standard and with all three passwords can be simpler like 8 alphanumeric characters. There is NO reason that the 2fa can't be built into the mobile OSes and shown on screen/watch with fingerprint verification as the trigger.
To secure a device you need a password.
Basics: something you are (iris scan, fingerprint), something you have (2fa token, usb unlock key), something you know (password).
One out of 3 is probably not very secure.