The “Digitales Amt” app, which is necessary for citizens in Austria, works exclusively biometrically. It is necessary in order to submit applications and communicate with authorities. Therefore, the phone is now worthless. You admit that your supplier did not inform you in time. This is your legal issue. So what to do? Throw away the sustainable Fairphone? As a result of the violation of the duty to warn, better find a solution or at least make an offer.
So you feel any possible commitment oft your supplier to provide an Firmware Update once?
As we explained in the post, that app does not follow the recommendations of Google. By only allowing to use biometrics, it is closing the door to other more safe ways of logging in, like a password. I hope you will continue to enjoy you phone for other uses for a long time. We will keep providing software updates, beyond any other brand in the industry. Thanks
We have been trying for months now. Unfortunately, one of the bottlenecks in the industry, as component manufacturers are not used to provide long term commitments. Sometimes our drive for longevity wins, but sometimes it doesn’t. I hope for your continued support, thanks for engaging in the conversation.
If you are referring to whether LineageOS, for example, now also classifies the fingerprint sensor as Class 2: No, it doesn’t. LineageOS has reverted the commit that would implement this security check:
According to this post this isn’t true for LineageOS and, most importantly, they intend to keep it this way. Has there been any changes on that side which haven’t been posted by the LineageOS’ team?
Thank you for your statement. While I would have liked for it to be available sooner, I understand that stuff like this needs to be coordinated.
I have a few remarks and questions, though.
Where in the post did you explain this? Found it now, thanks to AnotherElk. However, this part:
I don’t use the “Digitales Amt” app, but those statements seem to contradict each other – it seems that not all apps that offer biometric login also offer the option to login using your password or pin code. You might want to clarify that.
Also, the following is a bit misleading in my opinion:
While it is true that the firmware of the fingerprint sensor is the same and therefore not more or less secure as on stock OS, this isn’t really what the question is about – the question asks if Custom ROMs will have the same problem in Android 13, and the answer, at least for Lineage OS, is no. Your answer sounds different.
Last but not least: Android 11 still isn’t EOL for at least a few months, I think. For those users that want to stay on Android 11, are you planning on providing security patches for Android 11 until the EOL date?
Thanks,I was not aware. We will update the post.
Hi there, thanks a lot for your response. I understand, that it is difficult for Fairphone to provide all the updates and solve all the problems. I also think that the biometric thing isn’t secure and that passwords etc. would be much better. But there is nothing I can do about it, when I need it for “Digitales Amt” in Austria which I need for work as I work for a tax consultant. When there is no solution, is there at least a possibility that we get a discount if we have to order a Fairphone 4 and change the phone because of this issue? Are there plans for a Fairphone 5? And another question I have:: Is there a way that you can still suppport Android 11 for those who can’t install Android 13 because of the fingerprint issue? At least for a while? My fairphone tells me daily that I have to update the software.
I understand your situation, but still I ask you to also understand our situation, I bought my FP 3 in 2021 and it makes me sad that I probably can’t keep it any longer. And to buy a Fairphone 4 for more than 500 EUR, not knowing if I can still use it in 2 or 3 years … this may force me to switch to another smartphone brand, which also is able to handle “facial recognition” for example. It’s not that I am fond of these things (this biometric stuff) but if our authorities in Austria or some banks force us to use this stuff, we have no other chance.
Thanks for your understanding and sorry for my not so good English.
Best regards from Austria,
It was reported here that the authorities in Austria indeed offer legacy means of getting things done. Yes, this might be inconvenient in comparison, but nobody is forced to use the App.
And banks forcing App usage onto customers is an unacceptable practice, customers swallowing this are voluntarily sitting in a cage. Offering Apps is fine, forcing Apps without keeping alternative channels open is not.
(I once terminated a bank account myself the moment a bank wanted to force me to use an App. Given, it was not my primary bank back then, but I wouldn’t hesitate much if it was my primary bank either.)
Forcing biometry without alternatives is bad App design, as described.
Thanks, you’re right. I must have overlooked that part. Editing my post.
In the assessments which were made, what disqualified offering a swap of the fingerprint hardware for a more secure one (at least regarding Google’s classification) as a fix?
I have just sent an e-mail to a-trust (Digitales Amt), hoping that I will get a reply next week. As I’ve said I need this stuff for work, that’s why I am “forced” to use this App. If it would only be for private reasons, it would be less annoying.
Please don’t get me wrong here – I have supported LineageOS and other custom ROMs for a long time and wish them to succeed and gain popularity and users –, but I’m reading this with a bit of disbelief. Does this mean that apps like Digitales Amt will just “swallow” any custom ROM’s “thumbsup” when it comes to trusting a fingerprint sensor?
Again, I really want that custom ROMs can replace Google’s downrating of the FP3 fingerprint sensor and thus keep its functionality for all apps that used to work with it before … but can it really be so easy?
It sounds a bit hacky, to be honest, but the original “degradation” of the sensor was done in a completely software way too. In the end, the OS is in control of the machine (whatever the OS and the machine are), so an app can either trust it or trust it (which is why some apps refuse to work if they detect rooting or other stuff which could change the default OS behavior for critical stuff).
At least all my banking apps have been working flawlessly with the fingerprint sensor on Android 13 (iodéOS) for months. (ABS, Airlock 2FA TWINT, PayPal)…
I just tried Digitaes Amt. However, it doesn’t like my rooted phone as soon as I try to log in.
Maybe someone can try it without rooted FP3 on LOS/iodéOS/etc.?
Hi, I want to delay upgrading to AOS 13 as long as I can - is it possible to block the daily upgrade notification, it gets quite tiresome!
Seriously, the problem is not the fingerprint sensor (okay it is). The problem is that you decided to roll out this update. 95% of all user will not read this notes, because they trust you and I absolutely disagree with the assessment, that this is a small inconvenience or a low key issue. Convenience is key, at least for anything security related. Using the fingerprint sensor 100 times a day is something totally different as to enter a strong passwort 100 times a day (especially if you do not reuse passwords and use special characters).
As long as the password is exclusivly to your phone and can not be used to access your account via other means, a weaker password is not too problematic. Often this is not the case and the same credentials are used for all ways of accessing(webbrowser, pc-app,…) the account. Entering once or twice a day a random 20 character password with special characters is acceptable, doing it 10, 20 or 50 times a day (especially using a smartphone) will definitly result in password reuse and short passwords and that will decrease security.
In this discussion someone said that while being in a crowd he feels safer using the fingerprint sensor instead of the pin and he is not wrong. While in general the pin is more secure than the fingerprint, this is only true as long as the person did not see you entering the pin. If you have some experience, you can pretty accurately guess the pin.
In a lab environment not using the fingerprint sensor might be more secure. In real life with real user I have to heavily disagree with this assessment.
You rolled out an update that made at least some critical app unusable and reduces security in a real life environment. This is unacceptable.
Yes, the app should have a fallback to pin-code, but you never ever expect others to follow the guidelines. I am software developer and you simply do not do this. It will cause problems in 99.99999%. Thats like driving a car and expecting everyone to follow the rules, no exceptions. This will definitly result in an accident and you are at least partially responsable.
I do not blame you for the issue with the fringerprint sensor itself, but I blame you for the way you handled this issue. I also do not like that my FP3 told me, just a couple of minutes ago, to install the update, my FP3 would work perfectly fine with the update. If you did not solve the problem with the fingerprint sensor in the last couple of minutes (and i highly doubt that), than NO it would not. There is a known issue with the update and my FP3 literally lies to me.
By the way, my wife smartphone is a Huawei, the last generation that recieves Andriod updates. It is older and cheaper than my FP3 and its fingerprint sensor works perfectly.
So i can not really agree with: our users get much more from us than they would get from any comparable device on the market of similar hardware and age
This might be a special case but at the moment i can only agree with: You are most likely not worse than your competitors in general.
This is your third smartphone and you already failed your target of longevity. I personally find that very disappointing, because longevity was the most important fact for me buying a FP3.
Just to clarify what we talk about when mentioning “legacy” options.
It means getting an appointment weeks ahead of time, travelling in the best half an hour to an office (usually between 0800 and 1200), waiting for a bit (an hour or so), then filing stuff in person. Alternatively you might be able to mail it using the postal service, if you are able to find a post box, which itself is emptied every two days.
There was an option till about two years ago I want to say where you could use the old app which just sent you an OTP. But that was discontinued and replaced for everyone using the app. And reverting to this version is not possible.
Also some functions are not possible in person like checking the current status of your filing.
But I agree that forcing an app is not a great idea, especially in a country which is relatively old. Not the country itself but the population.
Forcing stuff is never a good idea. It does not matter if it is an app or some other thing.
@jedesnal Thank you for inquiring with a-trust. This is very much appreciated.