Latest release of GrapheneOS finally shipped the long awaited duress PIN/password implementation. If you have a spare device, we recommend trying it out.
We’ve added initial documentation to the features page:
https://grapheneos.org/features#duress
It near instantly wipes and shuts down.
We’ve also finally added documentation on our USB-C port control to our features page:
https://grapheneos.org/features#usb-c-port-control
Most users can set this to “Charging-only when locked” without a loss of functionality or even “Charging-only” if you don’t use USB accessories, DisplayPort or MTP.
Default is “Charging-only when locked, except before first unlock” to avoid locking users out of devices with a broken touchscreen. The main threat model for this is defending the device until the auto-reboot timer started when the screen is locked gets user data back at rest.
Our upcoming 2-factor fingerprint unlock will make using a strong passphrase as primary unlock method practical via fingerprint+PIN secondary unlock instead of fingerprint-only. Great for people who want to avoid relying on secure element throttling but don’t want fp-only unlock.
The pin+fingerprint is super intriguing and exactly what I’ve been wanting for a while. I am curious about the range of options though. Could you use a pattern with fingerprint? Also, could you have a duress pin+fingerprint in addition to a duress password?
If I read the release notes correctly, I think that’s the case. The Duress mode requires setting both a Duress pin and a Duress password, (I think it’s) so that no matter the current sign in options, Duress mode is still available.
That is correct. During setup, you’re prompted for both password and pin which allows use with pin or password prompts
deleted by creator
Use the duress pin feature along with Phone Lock app, which disables biometric login for next unlock on sudden gyro movement shock. Thus, enteing into pin/password only mode, where duress feature can be used easily.
Last time I checked, that app uses accessibility services, which are not recommended by the GOS project. As accessibility services greatly increases attack surface if any app using these services are compromised.
They are planning to have a second unlock method for After First Unlock in the future.