Conditions for triggering "pin required for additional security“



  • As in title, what are the conditions? (fingerprint isn't enough to unlock the device, one needs to enter PIN. I am not talking about the requirement after a re-boot)

    I can't seem to discern a pattern, on some days I get this security warning at least 3 times, and on some days never or maybe once, while the usage pattern seems to be similar.

    Pixel 4a, Android 11



  • This is triggered by fallback timeout as stated by https://android.stackexchange.com/users/44325/andrew-t . Android enforces tiered authentication model backed by Trusted Execution Environment (TEE) to authenticate the user. Primary tier authentication is your screen lock code which has the highest level of security and is cryptographically bound to storage encryption. Secondary tier is biometrics and tertiary tier is Smart Lock's Trusted Devices that are only available when the device is in After First Unlock (AFU) state.

    After every 72 hours or 3 consecutive failed biometric authentication (whichever happens first), TEE falls back to screen lock code if the biometric sensor is a Class 3 biometric (formerly Strong). For Class 2 (formerly Weak) and Class 1 (formerly Convenience) biometric sensors, fallback timeout is even smaller, with reduced security features and with idle timeout constraint. Tertiary tier authentication has the smallest.

    Constraints that reflect the length of time before a biometric falls back to primary authentication

    Smart Lock's Trusted Devices cannot unlock the device. They keep the device unlocked for maximum of 4 hours. That is after 4 hours, the device will prompt you to use either screen lock code or biometrics which then resets the timer for smart lock.

    You can also manually trigger fallback to screen lock code using lockdown option in power menu (enable it in settings) that temporarily disables Smart Lock, biometrics and notifications on the lock screen until next unlock.

    Note that these features including lockdown mode (in both android & iOS) do not increase your data security. They only make it harder for the attacker to spoof weaker lock mechanisms within a time limit. For example, cloning your fingerprint and 3D printing your face have to be done within 72 hours (or 24 hours) from the time of last primary tier authentication. For these features to work, your device should be already in after first unlock state. In this state, the encryption keys that decrypt your storage are already in alive state. By using custom engineered forensic tools and OS kernel level exploits, your data can still be decrypted without unlocking your screen.

    While such attacks are even harder than spoofing biometrics, they are not impossible. Spyware agencies have been decrypting data of seized devices from long time because most of the time the devices they get are in AFU state. The safest state (but not immune) for the device to be in is Before First Unlock (BFU) state in which TEE awaits for primary tier authentication to release encryption keys so the attack vector is shifted on exploiting weaknesses in TEE which further increases the difficulty to compromise data.


    https://android-developers.googleblog.com/2020/09/lockscreen-and-authentication.html

    https://source.android.com/security/biometric/measure

    After First Unlock: Device has been unlocked once since last reboot.

    Before First Unlock: Device has not been unlocked once since last reboot.




Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2