Latest release of GrapheneOS finally shipped the long awaited duress PIN/password implementation. If you have a spare device, we recommend trying it out.

We’ve added initial documentation to the features page:

https://grapheneos.org/features#duress

It near instantly wipes and shuts down.

We’ve also finally added documentation on our USB-C port control to our features page:

https://grapheneos.org/features#usb-c-port-control

Most users can set this to “Charging-only when locked” without a loss of functionality or even “Charging-only” if you don’t use USB accessories, DisplayPort or MTP.

Default is “Charging-only when locked, except before first unlock” to avoid locking users out of devices with a broken touchscreen. The main threat model for this is defending the device until the auto-reboot timer started when the screen is locked gets user data back at rest.

Our upcoming 2-factor fingerprint unlock will make using a strong passphrase as primary unlock method practical via fingerprint+PIN secondary unlock instead of fingerprint-only. Great for people who want to avoid relying on secure element throttling but don’t want fp-only unlock.

  • hash@lemmy.world
    link
    fedilink
    English
    arrow-up
    5
    ·
    6 months ago

    The pin+fingerprint is super intriguing and exactly what I’ve been wanting for a while. I am curious about the range of options though. Could you use a pattern with fingerprint? Also, could you have a duress pin+fingerprint in addition to a duress password?

    • KindnessInfinityOPM
      link
      fedilink
      English
      arrow-up
      1
      ·
      6 months ago

      Also, could you have a duress pin+fingerprint in addition to a duress password?

      They are planning to have a second unlock method for After First Unlock in the future.

    • dipak
      link
      fedilink
      English
      arrow-up
      1
      ·
      6 months ago

      Use the duress pin feature along with Phone Lock app, which disables biometric login for next unlock on sudden gyro movement shock. Thus, enteing into pin/password only mode, where duress feature can be used easily.

      • KindnessInfinityOPM
        link
        fedilink
        English
        arrow-up
        2
        ·
        6 months ago

        Last time I checked, that app uses accessibility services, which are not recommended by the GOS project. As accessibility services greatly increases attack surface if any app using these services are compromised.

    • MajorHavoc@programming.dev
      link
      fedilink
      English
      arrow-up
      1
      ·
      6 months ago

      Also, could you have a duress pin+fingerprint in addition to a duress password?

      If I read the release notes correctly, I think that’s the case. The Duress mode requires setting both a Duress pin and a Duress password, (I think it’s) so that no matter the current sign in options, Duress mode is still available.

      • KindnessInfinityOPM
        link
        fedilink
        English
        arrow-up
        2
        ·
        6 months ago

        That is correct. During setup, you’re prompted for both password and pin which allows use with pin or password prompts