Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add PIN/fingerprint unlock option to increase security #545

Open
IOI-655321 opened this issue Aug 22, 2018 · 11 comments
Open

Add PIN/fingerprint unlock option to increase security #545

IOI-655321 opened this issue Aug 22, 2018 · 11 comments

Comments

@IOI-655321
Copy link

@IOI-655321 IOI-655321 commented Aug 22, 2018

On the new Android/iOS apps can the option be added to allow a PIN/Fingerprint login to access the app once you save your main login on the device?

This just gives an extra layer of security without requiring full login/2FA authentication every time.

Lots of other apps support this including ProtonMail.

@charlag
Copy link
Contributor

@charlag charlag commented Aug 22, 2018

@IOI-655321 this is possible but would require some works. There may be even an issue about this already.

@armhub armhub removed the improvement label Dec 6, 2018
@armhub armhub changed the title [Feature Request] Add PIN/Fingerprint login option for added to security Add PIN/Fingerprint login option for added to security Dec 6, 2018
@armhub armhub changed the title Add PIN/Fingerprint login option for added to security Add PIN/fingerprint unlock option to increase security Dec 11, 2018
@armhub armhub added this to the Roadmap milestone Dec 11, 2018
@charlag charlag added this to In Progress in Roadmap Project Jan 30, 2019
@charlag charlag moved this from In Progress to Planned in Roadmap Project Jan 30, 2019
@unrockbar
Copy link

@unrockbar unrockbar commented Nov 26, 2019

Any news on this feature? I am currently using protonmail but I intend to switch over to Tutanota. This is the second TOP feature in my opinion that needs to be released soon ;-)

@psmike2g
Copy link

@psmike2g psmike2g commented Jan 17, 2020

Yes, this function is needed.

@papko26
Copy link

@papko26 papko26 commented Feb 8, 2020

Really, guys, there is totally no point in encryption at all, if user has no opportunity to set up pin or at least fingerprint protection on app.
Switched to tutanota from protonmail recently, and reaaly looking forward to see that feature!

@MisterY
Copy link

@MisterY MisterY commented Feb 18, 2020

Really, guys, there is totally no point in encryption at all, if user has no opportunity to set up pin or at least fingerprint protection on app.

That is a very debatable point, considering that the operating system allows encrypting the device storage and securing the device with a few different options, including the fingerprint and a PIN code.

@charlag charlag mentioned this issue Feb 21, 2020
@IPv777
Copy link

@IPv777 IPv777 commented Jul 14, 2020

Hello :) some news about this feature ? Yes I think too we really need this...

@beerisgood
Copy link

@beerisgood beerisgood commented Oct 23, 2020

Under Android Keystore system can be used for secure fingerprint usage.

@stevengliebe
Copy link

@stevengliebe stevengliebe commented Oct 30, 2020

I'd sure like this. Not comfortable using email on mobile without fingerprint. Makes a lot of sense for a security-focused product. I prefer Tutanota overall but do like how ProtonMail uses Touch ID on iOS.

@DanielRuf
Copy link

@DanielRuf DanielRuf commented Nov 30, 2020

Some personal opinion here from the security perspective.

Fingerprints (like any other biometric data) themself are not secure as you leave them everywhere, are easy to fake / duplicate and you will have to store them in your passport in the future (databases of the government and so on). Anyone can retrieve most of these biometric data without applying any force, which is not the case for PIN codes and passwords that only you know and no one can see them in the plain sight like your fingers, eyes, face and so on.

Technically FIDO2 / UDF based (hardware) tokens are generally safer, and also PIN codes (master password algorithm for example).

See also
https://www.google.com/search?q=ccc+fingerprint+hack
https://www.google.com/search?q=biometric+database+leak
https://www.forbes.com/sites/daveywinder/2019/11/02/smartphone-security-alert-as-hackers-claim-any-fingerprint-lock-broken-in-20-minutes/
https://srlabs.de/bites/spoofing-fingerprints/
https://theconversation.com/fingerprint-and-face-scanners-arent-as-secure-as-we-think-they-are-112414

It's basically often comfort vs security.

@snaggen
Copy link

@snaggen snaggen commented Nov 30, 2020

With security, you must ask if you are protecting against a targeted threat or a general threat.
Biometrics is, as you point out, quite bad for security. Especially since it cannot be revoked after it have been compromised.
What it does though, is to add a thin protection layer, that actually forces an attacker to spend a few hours to extract and generate a fake fingerprint. Hence, it is probably sufficient protection against someone that just finds your phone, or some prying spouse / parent / aso.
And it is very convenient.

@beerisgood
Copy link

@beerisgood beerisgood commented Nov 30, 2020

Also biometric protect against someone watching typing the PIN / Password.
A normal attacker doesn't have time hacking with biometrics or strong PIN/ password.

@tutao tutao locked and limited conversation to collaborators Dec 1, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
Roadmap Project
  
Planned
Linked pull requests

Successfully merging a pull request may close this issue.

None yet