Encryption on Note 4 - T-Mobile Galaxy Note 4 Q&A, Help & Troubleshooting

Before, to enable encryption, most Samsung devices required
6 char password with letters and digits.
Lucky exception was Note 3 that allowed 4 digit pin.
Password or pin also had to be the same for boot and lock screen.
Is there any change in that?
Sent from my SM-N900T using XDA Free mobile app

My N4 is encrypted and both my boot and lock screen are the same.
I'm glad they went with a 6 character as the encryption has also been beefed up for the N4.
Rule of thumb: Make sure your password is at least 16 characters or don't bother encrypting your device. You'd be wasting your time Remember...16 minimum.
alexnoalex said:
Before, to enable encryption, most Samsung devices required
6 char password with letters and digits.
Lucky exception was Note 3 that allowed 4 digit pin.
Password or pin also had to be the same for boot and lock screen.
Is there any change in that?
Sent from my SM-N900T using XDA Free mobile app
Click to expand...
Click to collapse

iunlock said:
My N4 is encrypted and both my boot and lock screen are the same.
I'm glad they went with a 6 character as the encryption has also been beefed up for the N4.
Rule of thumb: Make sure your password is at least 16 characters or don't bother encrypting your device. You'd be wasting your time Remember...16 minimum.
Click to expand...
Click to collapse
I think the OP wants what i would like
two different passwords ex one for the encrypted partitions and the other for the lock screen.
what i want to see is a big hairy password for my boot time encryption but then i would like the convenience of the fingerprint scanner to unlock the device.

Ah yes that would be nice. Having to enter in a book every time is a bit annoying. I do have it set to where it won't lock immediately though. It helps somewhat. I'm glad the camera toggle is there too for quick access.
webstas said:
I think the OP wants what i would like
two different passwords ex one for the encrypted partitions and the other for the lock screen.
what i want to see is a big hairy password for my boot time encryption but then i would like the convenience of the fingerprint scanner to unlock the device.
Click to expand...
Click to collapse

No Encryption
My N4 refuses to encrypt. Why? Is it because I am currently using "My Knox" to do all my work stuff in?

Are you encrypting everything including sdcard or are you excluding anything?
Does it affect boot-app launch times or impact performance?
I'd feel better about getting the Note 4 asap once this encryption matter is clarified.. - Thnx
iunlock said:
My N4 is encrypted and both my boot and lock screen are the same.
I'm glad they went with a 6 character as the encryption has also been beefed up for the N4.
Rule of thumb: Make sure your password is at least 16 characters or don't bother encrypting your device. You'd be wasting your time Remember...16 minimum.
Click to expand...
Click to collapse
---------- Post added at 05:49 PM ---------- Previous post was at 05:13 PM ----------
I was going to start a new thread on encryption until I noticed this one got a reply today
Ideally I'd like no-minimal performance impact encryption along with greater unlock convenience. Apparently that will be available in Android L coming to the Note 4 end of November/early December according to http://www.sammobile.com/2014/09/18...te-4-might-get-android-l-in-novemberdecember/ but I've also heard it may be January (hopefully sooner). Anyone know how Android L will handle sdcard encryption as Nexus 6/9 lack sdcard slots?
Until then perhaps you could consider other 3rd party encryption apps such as SSE - Universal Encryption, Encryption Manager etc as mentioned in https://www.youtube.com/watch?v=AYcqo5CEKgI
Android L encrypts by default with many personal unlock options including separate PIN, passwords even trusted faces ( https://www.youtube.com/watch?v=n-YphkBt0j0 ) & trusted devices ( https://www.youtube.com/watch?v=rVmSWQ30Tv0 ) which should offer improved security via standard encryption along with greater unlock convenience I'd like to see it seems (i.e. more focus on just locking out the non-trusted):
Thoughts on when Android L will be officially available for the Note 4 & how its default encryption will handle sdcard slots?
alexnoalex said:
Before, to enable encryption, most Samsung devices required
6 char password with letters and digits.
Lucky exception was Note 3 that allowed 4 digit pin.
Password or pin also had to be the same for boot and lock screen.
Is there any change in that?
Sent from my SM-N900T using XDA Free mobile app
Click to expand...
Click to collapse

No one else has tried encryption could comment on any performance impact?
If the sdcard is not encrypted & your device is lost-stolen no one is worried that all your sdcard data would be accessible without any password (e.g. by popping it in a pc or smartphone with sdcard slot)?
SMARTPHONEPC said:
Are you encrypting everything including sdcard or are you excluding anything?
Does it affect boot-app launch times or impact performance?
I'd feel better about getting the Note 4 asap once this encryption matter is clarified.. - Thnx
---------- Post added at 05:49 PM ---------- Previous post was at 05:13 PM ----------
I was going to start a new thread on encryption until I noticed this one got a reply today
Ideally I'd like no-minimal performance impact encryption along with greater unlock convenience. Apparently that will be available in Android L coming to the Note 4 end of November/early December according to http://www.sammobile.com/2014/09/18...te-4-might-get-android-l-in-novemberdecember/ but I've also heard it may be January (hopefully sooner). Anyone know how Android L will handle sdcard encryption as Nexus 6/9 lack sdcard slots?
Until then perhaps you could consider other 3rd party encryption apps such as SSE - Universal Encryption, Encryption Manager etc as mentioned in https://www.youtube.com/watch?v=AYcqo5CEKgI
Android L encrypts by default with many personal unlock options including separate PIN, passwords even trusted faces ( https://www.youtube.com/watch?v=n-YphkBt0j0 ) & trusted devices ( https://www.youtube.com/watch?v=rVmSWQ30Tv0 ) which should offer improved security via standard encryption along with greater unlock convenience I'd like to see it seems (i.e. more focus on just locking out the non-trusted):
Thoughts on when Android L will be officially available for the Note 4 & how its default encryption will handle sdcard slots?
Click to expand...
Click to collapse

Related

Storage Encryption

Even though there was zero documentation and nobody else seems to have tried it, I turned on storage encryption on my HTC One.
Not impressed. Here are a few observations:
1. At power up (once the drive is encrypted), it appears to go through a full boot cycle. It then presents you with an authentication screen to enter your credentials. It then appears to reboot itself through another full boot cycle and then finally move on to the lock screen. This seems really idiotic.
2. There is no separate crypto password. If you use a 5 digit numerical pin, this is automatically your encryption password. If someone were to really attack the storage crypto, they would be able to brute force a pin in seconds (probably less). Long complicated passwords are too cumbersome to be used on a lockscreen.
3. Luckily, performance impact appears to be minimal once booted - at least not enough to noticeably bother me. I don't have enough comparative data to talk to battery impact, but it appears to be minimal.
4. There is no way to undo encryption....you have to do a factory reset. To be fair, this was documented in the warning screens.
Overall, it feels that this entire feature was an engineering afterthought added to make sure there is a check box for encryption for those customers that require it.
This is a standard Android feature (and therefore provided by Google not HTC). If you search there is plenty of information on this feature, just not in this HTC One specific sub-forum.
Rumball said:
This is a standard Android feature (and therefore provided by Google not HTC). If you search there is plenty of information on this feature, just not in this HTC One specific sub-forum.
Click to expand...
Click to collapse
Thanks for clarification.
Sent from my HTC One using Tapatalk 2
I turned on encryption the day after receiving mine. It hasn't seemed to impact battery life or performance but as the previous poster mentioned, it acts like other Android devices with encryption upon boot.
It is a pain but not near as bad as losing my phone and knowing someone with very little computer skill might be able to get at my data.
Sent from my HTC One using xda premium
rootshot said:
2. There is no separate crypto password. If you use a 5 digit numerical pin, this is automatically your encryption password. If someone were to really attack the storage crypto, they would be able to brute force a pin in seconds (probably less). Long complicated passwords are too cumbersome to be used on a lockscreen
Click to expand...
Click to collapse
have you looked at Cryptfs Password?
it lets you set a separate password for your encrypted volume, so you can have something long 'n complex, but a short numerical pin for your lockscreen
i use it and it's totally awesome
PS: there's also EncPassChanger, it does the same thing
Advance Mobile Care has a folder specific encryption facility called 'privacy locker'
http://forum.xda-developers.com/showthread.php?t=2290180
There are other folder specific encryption apps available.
The main issue with encryption apps is their reliability. Can you really trust them not to lock you out for an unspecified, unrecoverable error?
Zoltair Wright said:
have you looked at Cryptfs Password?
it lets you set a separate password for your encrypted volume, so you can have something long 'n complex, but a short numerical pin for your lockscreen
i use it and it's totally awesome
PS: there's also EncPassChanger, it does the same thing
Click to expand...
Click to collapse
Awesome! Exactly what I was looking for. Thank you.

[SOLVED] Change Encryption Password?

Dear all,
I run the stock firmware and encrypted my phone including the SD card.
Is there a possibility to change the associated password? It seems only the lock screen password can be changed.
Best,
Hindman
Those are tied together. If you want to set the encryption password independently, that requires root. And https://play.google.com/store/apps/details?id=org.nick.cryptfs.passwdmanager&hl=de for example.
Iruwen said:
Those are tied together. If you want to set the encryption password independently, that requires root. And https://play.google.com/store/apps/details?id=org.nick.cryptfs.passwdmanager&hl=de for example.
Click to expand...
Click to collapse
Oh yes, you are right. Thank you!
However, one might think that two separate passwords would make more sense. When unlocking a screen, nobody wants to input lengthy passwords, whereas typing a strong encryption password at bootup is acceptable.

Nexus 4 & 5 security vulnerability uncovered

A Security researcher andhacker, named John Gordon,has found an easy way to bypass the security of locked smartphones running Android 5.0 and 5.1 (Build LMY48M). Many of us use various security locks on our devices like Pattern lock, PIN lock and Password lock in order to protect the privacy of our devices. However, a vulnerability could now allow anyone to take your Android smartphone (5.0 build LMY48I) with locked screen, perform a "MAGIC TRICK" and as a result crash the user interface (UI) for the password screen and gain access to your device.
The vulnerability, assigned CVE-2015-3860, has been dubbed as "Elevation of Privilege Vulnerability in Lockscreen".
How the Attack Works?
The secret behind the researcher's "MAGIC TRICK" is as follows:
Get the device and open the Emergency dialer screen. Type a long string of numbers or special characters in the input field and copy-n-paste a long string continuously till its limit exhausts.
Now, copy that large string. Open up the camera app accessible without a lock. Drag the notification bar and push the settings icon, which will show a prompt for the password.
Now, paste the earlier copied string continuously to the input field of the password, to create an even larger string.
Come back to camera and divert yourself towards clicking pictures or increasing/decreasing the volume button with simultaneously tapping the password input field containing the large string in multiple places.
All this is done to make the camera app crash. Further, you will notice the soft buttons (home and back button) at the bottom of the screen will disappear, which is an indication that will enable the app to crash.
At this time, stop your actions and wait for the camera app to become unresponsive.
After a moment, the app will crash and get you to the Home Screen of the device with all the encrypted and unencrypted data.
Now without wasting time go to Settings > Developer Options > Enable USB Debugging and control the device by installing the Android Debug Bridge (ADB) utility.
In addition to this, if we notice the number of users with Android 5.0 and 5.1 with hardware compatibility as Nexus 4 and software installed as Google factory image - occam 5.1.1 (LMY47V) are less.
Therefore, the risk associated will affect those users only.
Furthermore, for those users we have a good news that is - the patch has released for the vulnerability and is made public by Google.
My question is, will it also affect other L users???
First off:
That text formatting,</thread> also, this will affect anyone running Roms with pretty much unaltered SystemUI based on 5.1.1_r8 (or lower)
Roms that alter heavily SystemUI (i.e samsung and lg stock roms) are unaffected. hence this issue didnt get a wide spread across news sites
opssemnik said:
First off:
That text formatting,</thread> also, this will affect anyone running Roms with pretty much unaltered SystemUI based on 5.1.1_r8 (or lower)
Roms that alter heavily SystemUI (i.e samsung and lg stock roms) are unaffected. hence this issue didnt get a wide spread across news sites
Click to expand...
Click to collapse
Thanks for informing me. But sure that WILL affect users of CyanogenMod, Cataclysm and other non-modded AOSP based ROMs.
Sent from my HTC Desire 616 dual sim using Tapatalk
MSF Jarvis said:
Thanks for informing me. But sure that WILL affect users of CyanogenMod, Cataclysm and other non-modded AOSP based ROMs.
Sent from my HTC Desire 616 dual sim using Tapatalk
Click to expand...
Click to collapse
Cm has already merged r14 so its safe, cataclysm is based stock roms, so if it has a version for the lastest, then its also safe.
any rom with code base post r8 its safe, which afaik should be a lot of them.RR, rastapop,omni,cm,chroma,D.U. are the ones i remember that has the fix
if you want a deeper look, see if the rom has this fix
https://android.googlesource.com/platform/frameworks/base/+/8fba7e6
opssemnik said:
Cm has already merged r14 so its safe, cataclysm is based stock roms, so if it has a version for the lastest, then its also safe.
any rom with code base post r8 its safe, which afaik should be a lot of them.RR, rastapop,omni,cm,chroma,D.U. are the ones i remember that has the fix
if you want a deeper look, see if the rom has this fix
https://android.googlesource.com/platform/frameworks/base/+/8fba7e6
Click to expand...
Click to collapse
Whew. Now as I think, I remember my cousin's N5 getting a ~100 MB FOTA update, maybe that includes the r14 fix.
Sent from my HTC Desire 616 dual sim using Tapatalk
Mod Edit
Thread Closed at OP request
ronnie498
Senior Moderator

Encryption level - P20 Pro

Hey guys,
Does anyone know what's the encryption level supported by p20 pro and how do i check it?
My organization has disabled any mobile device to connect which does not support 256 bit encryption, this level of encryption is only on iphone's & knox enabled Samsung phones.
Hence wanted to know the encryption level supported by p20 pro.
Thanks in advance.
No one guys?
I've chased Huawei again for an answer, only been waiting since May and constantly chasing each month, so not sure when they will reply
Sent from my Huawei P20 Pro using XDA Labs
I've finally had an update from Huawei
In response to your question, please be informed that the Huawei P20 Pro device it is not encrypted. However, all the information you are saving on the "file safe" it is encrypted. This means that the information is private and it can be accessed only by you. This option it is secured and it can be accessed only with your fingerprint.
Click to expand...
Click to collapse
So by default the device is not encrypted
walkerx said:
I've finally had an update from Huawei
So by default the device is not encrypted
Click to expand...
Click to collapse
That's f*ing ridiculous!! It's 2018!!
krs360 said:
That's f*ing ridiculous!! It's 2018!!
Click to expand...
Click to collapse
another reason to not buy the next huawei device
walkerx said:
another reason to not buy the next huawei device
Click to expand...
Click to collapse
Really bizarre why full encryption is unavailable on the Pro. If there's no way to enable it, then ya, I might avoid Huawei for my next phone as well.
Me too, this is gonna be my last Huawei
Guys, are you sure this is correct? If you read the EMUI 8.0 Security Technology White Paper on consumer-img.huawei.com/content/dam/huawei-cbg-site/en/mkt/legal/privacy-policy/EMUI%208.0%20Security%20Technology%20White%20Paper.pdf it seems to indicate that the entire phone is encrypted using HW key (HUK):
"To ensure data security, user data is encrypted using a hardware-based hardware unique key
(HUK) and user lock screen passcode. Data files of different apps are stored in the directories
of the corresponding apps, so that the files of one app cannot be accessed by other apps. The
data erasure function is provided for permanently erasing data during device recycling or
factory default restoration to prevent illegitimate data restoration."
and then:
"The AES256 hardware encryption/decryption used by the secure storage function is
compatible with the GlobalPlatform TEE standard. The secure storage keys are derived by the
HUK and not sent outside of the TrustZone. Data encrypted using the keys cannot be
decrypted outside of the TrustZone"
soniva said:
Guys, are you sure this is correct? If you read the EMUI 8.0 Security Technology White Paper on consumer-img.huawei.com/content/dam/huawei-cbg-site/en/mkt/legal/privacy-policy/EMUI%208.0%20Security%20Technology%20White%20Paper.pdf it seems to indicate that the entire phone is encrypted using HW key (HUK):
"To ensure data security, user data is encrypted using a hardware-based hardware unique key
(HUK) and user lock screen passcode. Data files of different apps are stored in the directories
of the corresponding apps, so that the files of one app cannot be accessed by other apps. The
data erasure function is provided for permanently erasing data during device recycling or
factory default restoration to prevent illegitimate data restoration."
and then:
"The AES256 hardware encryption/decryption used by the secure storage function is
compatible with the GlobalPlatform TEE standard. The secure storage keys are derived by the
HUK and not sent outside of the TrustZone. Data encrypted using the keys cannot be
decrypted outside of the TrustZone"
Click to expand...
Click to collapse
Got the info from Huawei stating there is no default encryption on the device
walkerx said:
Got the info from Huawei stating there is no default encryption on the device
Click to expand...
Click to collapse
Yes, I saw that earlier in the thread. But as others are saying - "it's crazy not to support this"
Just wondering if I should trust Huaweis official white paper on security and privacy or a person in customer support. I would expect them to provide the same answer. Assuming I'm reading the white paper correctly, encryption is on by default for the entire phone, with some additional safety-level for personal files (i.e. docs and images).
We have similar policies for our company-services utilized on phones and I am allowed to download, read and send e-mails on my P20 Pro just as on phones I've used earlier (with explicit encryption). Which is also the reason for following up on this issue. Either my phone is ok, the policy is not working as intended or my phone is reporting the wrong answer when queried from the server "are you encrypted". The last one would be the most critical I guess.
Also note the last comment on this thread: forums.androidcentral.com/huawei-mate-10-mate-10-pro/865831-does-pro-have-full-device-encryption-like-most-phones-now-9-did-not.html
To put it bluntly, I wouldn't trust any Chinese device when it comes to encryption. I'm not surprised that the P20 Pro is unencrypted. I used to have a OnePlus 3 that was encrypted (according to OnePlus, anyway...), yet when I factory reset it through the bootloader and gave to a family member, half my apps and SMS messages were still on the phone. when they signed in with their own Google account.
If you want data security, I think Samsung and the Knox platform is about as good as you're going to get. Apple won't give governments advice on how to decrypt iPhones, but I'm pretty sure it's possible with the right third party equipment.
This is the answer I got from Huawei customer support:
Our devices are encrypted from the factory when they are made, a user can then also add passwords, fingerprints and facial recognition to allow access to the device but as a standard in the Android system the main security function is a password and this is required after a restart of the device even if you have other unlock functions.
The encryption from the factory is an encryption on the internal storage unit.
Click to expand...
Click to collapse
So based on this, and the white paper mentioned previously, the devices are encrypted.
soniva said:
This is the answer I got from Huawei customer support:
So based on this, and the white paper mentioned previously, the devices are encrypted.
Click to expand...
Click to collapse
I've replied to my email from Huawei advising to confirm as we are getting different answers from support staff (my updates are coming from the UK Technical Support Team)
Update: Further from my post earlier, I've now had more information back from Huawei who have confirmed there is encryption by default, so have asked them to ensure all staff know as I seem to be getting incorrect information (especially from one member of staff)

Biometric Authentication - Banking apps.

Make sure you put 1* reviews on your Banking apps or all apps that need updating to support face unlock, hopefully it will help speed up the development and support of face unlock on the pixel 4. I am really missing fingerprint unlock on my apps!
Demolition49 said:
Make sure you put 1* reviews on your Banking apps or all apps that need updating to support face unlock, hopefully it will help speed up the development and support of face unlock on the pixel 4. I am really missing fingerprint unlock on my apps!
Click to expand...
Click to collapse
Why? I just contacted my credit union asking for them to add support. Maybe larger national banks and stuff should have been aware and had support ready but smaller, more local institutions might just need to know that it's a thing on Android now.
Sent from my Pixel 4 XL using XDA Labs
In the Play Store, you can reach out to contact each app's development team via email. I've written to Chase, Bank of America, Mint, Credit Karma, and the other apps I use. Some developers are aware that they need to update, others aren't. Here are some of the responses I've received.
My original email (to each app):
Please update the Android app to support the biometric API so that I can use the secure face unlock on my Pixel 4! Thank you!
Click to expand...
Click to collapse
Bank of America:
Thank you for your feedback and we apologize for the inconvenience. We are working to update to the latest biometric authentication for the Pixel 4 and expect to have a supporting app shortly. For now, sign-in to the app using your online ID and password. Please look out for an app update soon.
Click to expand...
Click to collapse
Chase:
We'll be happy to review your request to update the
Android App.
Ivan, please note that the Chase Mobile App will work on
any Android smart phone or tablet running Android
operating system 5.0 (Lollipop) or higher. The minimum
operating system is 5.0 or higher. If your mobile phone
does not have the minimum requirement, the Chase Mobile
app will not be compatible.
We want our mobile app users to have the best experience
possible, so we regularly test chase.com using the most
current versions of operating systems. Since some mobile
app functionality may not work well on older operating
systems, we ask that you perform these updates. We
recommend you update your operating system and application
to the newest versions available. If your device isn't set
up to receive updates automatically, you can get the We
recommend you update your operating system and application
to the newest versions available.
We appreciate your business and thank you for choosing
Chase.
Click to expand...
Click to collapse
Credit Karma:
To determine if your Touch ID or Face ID function is turned on or off, go into your settings by clicking the icon in the top right corner of the app. The directions are the same whether you’re using Touch ID or Face ID.
If Touch or Face ID is turned on you will see a green circle with a white check mark.
If it’s turned off, simply click the empty circle and you’ll be prompted with a message stating the fingerprints or face registered on your phone can be used to access your Credit Karma account. Click “OK” to this prompt and you will be asked to enter your PIN to confirm this change.
Touch or Face ID is now turned on and you will be allowed to use this function to access the Credit Karma app moving forward.
Please note that if you log out of your account, the next time you open the app you’ll be prompted to enter your email address and password.
Thanks so much,
Click to expand...
Click to collapse
I've been sending further follow-ups to the ones who clearly don't understand what we are asking.
The more people who contact them, the more they'll understand that their apps are the problem by not using the current API.
I think Chase already stated that they were going to have an update before the end of the year. Hopefully sooner rather than later.
Robinhood works!
btonetbone said:
In the Play Store, you can reach out to contact each app's development team via email. I've written to Chase, Bank of America, Mint, Credit Karma, and the other apps I use. Some developers are aware that they need to update, others aren't. Here are some of the responses I've received.
My original email (to each app):
Bank of America:
Chase:
Credit Karma:
I've been sending further follow-ups to the ones who clearly don't understand what we are asking.
The more people who contact them, the more they'll understand that their apps are the problem by not using the current API.
Click to expand...
Click to collapse
Very nice work, I have left reviews and also contacted all my Banks via email. Hopefully it speeds up the process.
Throwing up a bunch of one-star reviews won't help, and all it serves to do is make the rater (you) look petty and childish. I'll send an email to my institutions, like a grownup, and go from there.
Getting in contact directly works best, via the play store will get you to the android app devs. I usually go through Twitter and you get a spokesperson who wouldn't know an apk from an adb and will give a stock response of soon™.
Remind them that the old biometric APIs are deprecated and that they should update to current versioning. Should anything happen they don't want to be the story of the bank that wasn't able to keep up.
Honestly I'm not missing it that much for my bank that much because I use LastPass which autofills it quickly. I do miss it for Outlook though because I have to do a pin.
Sent from my Pixel 4 XL using Tapatalk
So Far E-Trade has been updated to the Pixels face Unlock... I sent an email via the app store also to a credit union hoping they will update their app. I'm hoping within the next 2 weeks to a month that all major banks will update...
How secure if this anyway? I mean, my banking account has a password. I enter that password in my banking app to log into my account. In the future I will use my facial scan to log into my banking app.
Does that mean my banking account will have two password (1x password + 1x facial scan) oder will my password be stored somewhere in the app or on android and simply be passed on the my facial scan is verified?
Both do not sound very secure to me.
If you don't feel it's secure then just don't use the app.. simple. I trust that the banks know the risks and have mitigated them. After all they are the ones on the hook if there's fraud.
bobby janow said:
If you don't feel it's secure then just don't use the app.. simple. I trust that the banks know the risks and have mitigated them. After all they are the ones on the hook if there's fraud.
Click to expand...
Click to collapse
Not really the informative answer I was looking for.
I wouldn't blindly trust a bank app or any of the other countless apps that would use my facial scan.
What happens if your facial scan gets stolen / leaked. Everyone with that information will for ever be able to access your data. And you can't even change your access code like you would be able to with a password.
And it seems like you also have no idea where your facial scan is being saved, and how it is secured / locked down. Maybe it is just a plain file on your phone's storage? You don't seem to know.
Why no simply write down all your passwords in a .txt file and save it on your sdcard? That would alteast have the advantage that you could change your password at some point.
Utini said:
Not really the informative answer I was looking for.
I wouldn't blindly trust a bank app or any of the other countless apps that would use my facial scan.
What happens if your facial scan gets stolen / leaked. Everyone with that information will for ever be able to access your data. And you can't even change your access code like you would be able to with a password.
Click to expand...
Click to collapse
Isn't the face unlock for that device only? It's not like someone can install your bank app on their phone, somehow use your face unlock information, and spoof you on that device. Also there's still 2 step verification, at least with my bank, so the new app would still need to get the verification code. If anything, it's easier to do with your password because that's something that can be typed in and then somehow get the verification code text.
Sent from my Pixel 4 XL using Tapatalk
Utini said:
Not really the informative answer I was looking for.
I wouldn't blindly trust a bank app or any of the other countless apps that would use my facial scan.
What happens if your facial scan gets stolen / leaked. Everyone with that information will for ever be able to access your data. And you can't even change your access code like you would be able to with a password.
Click to expand...
Click to collapse
I'm not sure of the question you are asking. It seemed rhetorical to me basically commenting on how you don't think fingerprint, facial or password entry is secure on your app. I don't think any of it is stored in the cloud but nonetheless it's probably not as secure as walking into your bank and transacting with a teller. Even websites probably aren't as secure as you wish they were. So what exactly are you asking that you expect a reply to? You can perhaps check with your bank as to what your liability would be if your account got hacked.
EeZeEpEe said:
Isn't the face unlock for that device only? It's not like someone can install your bank app on their phone, somehow use your face unlock information, and spoof you on that device. Also there's still 2 step verification, at least with my bank, so the new app would still need to get the verification code. If anything, it's easier to do with your password because that's something that can be typed in and then somehow get the verification code text.
Sent from my Pixel 4 XL using Tapatalk
Click to expand...
Click to collapse
Oh is it? That makes it defeniately more secure. But then I would still like to know how it is ensured that my facial scan only works with my specific mobile device and not with any other mobile device.
Yep for banking there is still 2 step verficiation. Good point. But I was actually thinking more about e.g. KeePass.
bobby janow said:
I'm not sure of the question you are asking. It seemed rhetorical to me basically commenting on how you don't think fingerprint, facial or password entry is secure on your app. I don't think any of it is stored in the cloud but nonetheless it's probably not as secure as walking into your bank and transacting with a teller. Even websites probably aren't as secure as you wish they were. So what exactly are you asking that you expect a reply to? You can perhaps check with your bank as to what your liability would be if your account got hacked.
Click to expand...
Click to collapse
Maybe I didn't explain my question good enough. I will try again:
Currently I would unlock e.g. my KeePass Database with a password.
In the future I would use my facial scan for that.
I wonder at what point my facial scan will access my password of the KeePass Database, because it somehow has to know my password in order to unlock KeePass?
And in that case my password suddenly isn't saved only in my head anymore but also within android or another app (because Face Unlock has to somehow know it?).
Or will my KeePass database get a second "password" which is my facial scan data?
In that case I want to make sure that my facial scan is very secure and can't be stolen. Because if it turns up in smth like "haveibeenpwnd.com" everyone will forever be able to access all my files with my leaked facial scan which I cannot even change to something different anymore.
Utini said:
Maybe I didn't explain my question good enough. I will try again:
Currently I would unlock e.g. my KeePass Database with a password.
In the future I would use my facial scan for that.
I wonder at what point my facial scan will access my password of the KeePass Database, because it somehow has to know my password in order to unlock KeePass?
And in that case my password suddenly isn't saved only in my head anymore but also within android or another app (because Face Unlock has to somehow know it?).
Or will my KeePass database get a second "password" which is my facial scan data?
In that case I want to make sure that my facial scan is very secure and can't be stolen. Because if it turns up in smth like "haveibeenpwnd.com" everyone will forever be able to access all my files with my leaked facial scan which I cannot even change to something different anymore.
Click to expand...
Click to collapse
I used LastPass and I think it's not different then when I died the fingerprint option for it. There's a master password for the account and biometric login is, again, just for the individual device. And again, there's 2 step verification at least with LastPass, for whenever you set up.
Sent from my Pixel 4 XL using Tapatalk
EeZeEpEe said:
I used LastPass and I think it's not different then when I died the fingerprint option for it. There's a master password for the account and biometric login is, again, just for the individual device. And again, there's 2 step verification at least with LastPass, for whenever you set up.
Sent from my Pixel 4 XL using Tapatalk
Click to expand...
Click to collapse
Sounds interesting and secure. Now I am interested in how it is ensured that my fingerprint / facial scan will only work with my specific mobile device and that the stolen data from my device can't be used from another device
Utini said:
Oh is it? That makes it defeniately more secure. But then I would still like to know how it is ensured that my facial scan only works with my specific mobile device and not with any other mobile device.
Yep for banking there is still 2 step verficiation. Good point. But I was actually thinking more about e.g. KeePass.
Maybe I didn't explain my question good enough. I will try again:
Currently I would unlock e.g. my KeePass Database with a password.
In the future I would use my facial scan for that.
I wonder at what point my facial scan will access my password of the KeePass Database, because it somehow has to know my password in order to unlock KeePass?
And in that case my password suddenly isn't saved only in my head anymore but also within android or another app (because Face Unlock has to somehow know it?).
Or will my KeePass database get a second "password" which is my facial scan data?
In that case I want to make sure that my facial scan is very secure and can't be stolen. Because if it turns up in smth like "haveibeenpwnd.com" everyone will forever be able to access all my files with my leaked facial scan which I cannot even change to something different anymore.
Click to expand...
Click to collapse
Oh I see now. This really has more to do with your password manager than the bank. Unfortunately, I don't use a PM even though I suppose I should. Everyone says it's pretty secure. Since I don't really know what I'm talking about at this point I'll give it a shot anyway. lol
I don't think the facial scan or the fingerprint scan is saved anywhere other than your device. But I do use fingerprint (or did) scans on my banking app. If I change my password on the banking site my fingerprint scan will no longer work on the app. I would first have to change my password on the app and then reregister my fingerprint when the new password is entered. Can we compare it to the face scan at this point? I mean you can't change your fingerprints either right? Before I go on, am I reading your concerns correctly?
Utini said:
Sounds interesting and secure. Now I am interested in how it is ensured that my fingerprint / facial scan will only work with my specific mobile device and that the stolen data from my device can't be used from another device
Click to expand...
Click to collapse
https://support.google.com/pixelphone/answer/9517039?hl=en
Maybe this confirms it?View attachment 4860867
Sent from my Pixel 4 XL using Tapatalk

Categories

Resources