Hello everyone, thanks for all the messages. I would like to add to this discussion a bit from our side. I’m Miquel Ballester co-founder and Head of Product of Management and together with the Software Longevity team we work on our software updates.
Let’s start with a quick summary for new readers:
Since the update to Android 13 for Fairphone 3(+), the fingerprint sensor at the back of the device can no longer be used to log into certain apps with higher security requirements, such as some banking and government apps. This is because of updated security requirements for Android 13, which has lowered our sensor’s security certification from Class 3 to Class 2. This is very common as phones become older. After all, software upgrades will always align with the latest tech available in the market. However, there is no need for alarm. A Class 2 certification is still quite strong and will allow your fingerprint sensor to work normally for a multitude of apps. For apps that require a higher security certification for the fingerprint sensor, you can still access them through a PIN or passcode.
We want to again sincerely apologise for the oversight on our part in communicating this issue before. As we said already, we were aware of this issue before starting the roll-out of the latest update, but failed to include it in the release notes the first time.
These are the actions we have taken to minimize the effects:
- Once we realized this, we stopped the rollout of the update on the 11th of July. Only 10% had got the update until then.
- We updated the release notes and published them again.
- We resumed the rollout on the 17th of July
Noticing this is not enough information, on 28th of July:
- We are updating the notification that users see before they accept the download to warn them about this regression.
- We are updating the release notes to provide clearer communications on the regression for people downloading the software update.
One thing to keep in mind is that although biometrics (fingerprint) are more convenient, they are potentially less secure. It’s never as safe as logging in with a strong password, which is an option that remains available for nearly all apps. This is documented in the official documentation of Android, please see here. Android states that:
“in the tiered authentication model, pins, patterns and passwords are primary authentication and they provide the highest level of security. Biometrics are the second tier of authentication and offer security and more convenience”.
Despite the previous statement, some apps only use biometric authentication to login.
The apps that lost access with the fingerprint sensor are exactly those with the highest security requirements (like banking apps), here’s a list of all the apps and their status for fingerprint support (thanks Ingo and to everyone who updated the list). We are sad to lose this convenience feature on those apps, but it is the right thing to do to keep these accounts as secure as possible. You can still access your accounts via login methods that are more secure than using your fingerprint, like passwords.
Every iteration of fingerprint sensors and chipsets makes progress and offers higher and higher levels of security. In our Fairphone 4, we could implement a newer, even more, secure version of fingerprint sensors and chipsets with higher standards of security. This is why we can still offer to log in via the fingerprint sensor on those apps with the Fairphone 4.
While this development is not something we are happy about, please do understand we are trying our very best to future-proof our phones as best as possible. Like the later software updates for Fairphone 2, this is the first upgrade we’ve completed without the support of the chipset provider and that comes with its own set of teething problems. With our unique approach to software, we are challenging the industry every day, going way beyond what our other brands and partners are doing.
This way of challenging the industry standard comes with risks and regressions that are sometimes beyond our control. Sometimes, like on this occasion, we reach a hard limit that isn’t resolvable from the technical side. Despite this major regression in Android 13 for Fairphone 3, our users get much more from us than they would get from any comparable device on the market of similar hardware and age, as we are already offering software updates since its launch in 2019.
Having said that, we would like to profusely apologize once again for not communicating this clearly in the release notes. We should have been more proactive in letting you know about this development and it is something we will be more actively concerned with in the future.
I hope this answers your questions. And thanks all for being so engaged in the conversation.
Miquel
In case it helps, here we include as well some FAQs:
What exactly is causing the issue with the fingerprint sensor?
Due to updated test requirements, Fairphone 3’s fingerprint sensor is now certified at a lower security standard, according to Android’s security requirements. We cannot get an updated firmware from the fingerprint sensor supplier, in order to increase the level again. Android biometrics security requirements are continuously increasing to stay aligned with latest research in the field, for example on reproducing someone else’s fingerprint to log into their device and apps.
Could Fairphone have prevented this?
We could have written the explanation proactively for the end users.
We are also having conversations with all our software and hardware suppliers to get their support for a longer time for our more recent products. On Fairphone 3, unfortunately, the manufacturer declined to offer us long-term commitment for firmware support.
Why wasn’t this issue included in the release notes?
We were aware of this issue before beginning the roll-out of the latest update, but failed to include it in the release notes. This is a major oversight and should not have happened. We realize that we need to be more proactive about how to communicate and present known issues/regressions and potential workarounds before releasing updates to the public.
That said, this only affects apps with higher security requirements, like banking apps. In general, you can keep using the fingerprint sensor normally.
If Fairphone was aware of this, why did you choose to release the update, anyways?
Some workarounds could be put in place, see the section “What do do for the affected users?”. This is not convenient for the users using the fingerprint sensor with some apps, but they can still use those apps, unlocking them via PIN/password. In this case, we prioritize continuing software support despite losing this feature.
If the fingerprint sensor is certified as “weak”, does this mean it is not safe to use / wasn’t safe to use before the Android update?
Android security requirements changed with Android 13, which require changes in the firmware of the fingerprint sensor. Because of the lack of this firmware update, the fingerprint sensor could not be qualified “Strong” anymore and “Strong” could be a prerequisite for some apps to use it, like the banking apps. Weak is one of the categories of the Android Compatibility Definition Document (CDD) which evaluates the security of a biometric implementation. The Biometric Class “weak” (called class 2) now is considered “secure” but not secured as the Strong level, see the Android specification (the table below describes each class for new Android devices). Biometric security is classified using the results from the architectural security and spoofability tests. A biometric implementation can be classified as either Class 3 (formerly Strong), Class 2, (formerly Weak), or Class 1 (formerly Convenience).
Will I no longer be able to access my banking app / other apps that I usually use the biometric login for?
All apps that offer biometric login also offer the option to login using your password or pin code. This issue, therefore, does not mean you will not be able to access your apps at all.
(When) will you fix this? Is there a workaround?
Fix not, workaround yes: Affected apps can still be unlocked via PIN/password, which is by default configured as a fallback option in any context that makes use of the fingerprint sensor.
(How) can I go back to Android 11 to get the functionality of the fingerprint sensor back?
Going back to Android 11 will not solve this issue: Android 11 will eventually run out of security support. Apps with high-security requirements won’t work anymore at that point – these will be more or less the same apps that require strong fingerprint security. As a temporary workaround, it is, however, possible to go back to Android 11. Please see https://support.fairphone.com/hc/en-us/articles/360048050332 for instructions on how to manually install older Android versions.
Will the fingerprint sensor on the Fairphone 4 stop working as well, once the Fairphone 4 receives the Android 13 update?
No, as the fingerprint manufacturer for the Fairphone 4 didn’t drop the support. We’re also already preparing now to avoid similar situations for Fairphone 4 as much as possible.
I use another alternative operating system on my Fairphone 3/3+. Will this issue affect me as well?
Yes. Alternative operating systems all use the same fingerprint firmware as our official software, since there is no alternative or open source firmware available for Fairphone 3’s sensor. Therefore, in terms of fingerprint detection and spoofing security (reproducing someone else’s fingerprint), other systems will be as secure as our official one.