Read the post which will tell you: No it will most likely not
We know there will never be a solution, but that doesn’t mean this issue has been solved. Marking this thread as solved is misleading.
No its not as this is the solution as it is and so everyone can find the respective post easily.
Quick but Important note about this link: This is not a FIDO2 key that is compatible with ID Austria. Only FIDO2 level2 certified keys are. To find out which devices fulfill this requirement you can check for compaliance on the FIDO2 allience’s website. There you can filter the database of certified products for ‘FIDO2’ and ‘Authenticator level 2’. Also there’s a list of currently supported devices in the ID-Austria FAQ that should be updated in regular intervals. Once additional keys that support WebAuth and are FIDO2 level 2 certified appear on the market, they will be added to the list of supported security tokens.
Today Fairphone launches FP5. It is all about being sustainable and accountable, but at the same time owners of FP3 have just been made to buy new phones because FP just pushed a faulty update our way and then just abandoned ship. Do you really think this will make me buy a new FP model??? How is that any different from Apple, Samsung, Google?? VERY DISAPPOINTING
As already explained here by Fairphone, Google has raised the security standard for fingerprint readers with Android 12 and higher. Nothing Fairphone can do about if they want to ship their FP3 updates with Google Play Services.
And sadly, the fingerprint vendor has no interrests in upgrading their closed-sourced/proprietary firmware for this fingerprint reader.
But of course you can still use your FP3 - apart from the austrian governement app Digitales Amt which has taken a terrible security flow desicion by only allowing biometric unlock mechanisms…
And there are also other OSes for the FP3 which didn’t implemented those higher security standards (only possible because they don’t rely on Google certifications…)
And in addition, Fairphone even offers Android 11 updates until Google stops providing them (early 2024). But for that, you have to downgrade your FP3 if you’re already on Android 13.
But take a look here:
So you think it is ok to push an update to my FP3 and now I can’t use banking apps and the Austrian Digitales Amt (which I need weekly multiple times) and all of a sudden it is Googles fault? That is a cop out and looks a lot like a veiled reason to sell you newest phone, which is getting more expensive with every edition. Your promise of support for years doesn’t sound very convincing if you have just conveniently forgotten to tell your clients about the downside of updating. Do I have time or energy to completely re-install my phone to a lower version? NO, because I had a perfectly working phone Fairphone broke it. Trust is easily broken and I don’t feel I can trust this company anymore.
You should at least give something back. For example the option to get a new - functioning - fingerprint module to retro-fit into my FP3
If I followed well the Fingerprintgate, only people living in Austria cannot use a very important app : Digital Amt. If Fairphone would have liked to “force” FP3 owners to buy the FP5, I think they would have created such a problem for most of the FP3 users and not only for a small proportion of them.
According to me, people should use more Occam’s razor and stop seeing complots everywhere.
No, that was not ok at all and Fairphone admitted that too. But it already happened and they can not make in undone.
I very much doubt that. They made a lot of FP3 users understandable angry and I can’t imagine they did that on purpose, don’t you think?
And since they are offering Android 11 updates until the very end, there are even less reasons to buy a FP5 if FP3 users are still happy with their device in general.
And once again: It was not a decision made by Fairphone to raise the security standards for fingerprint readers. It was a decision made by Google.
Fairphone made a huge mistake by delivering the Android 13 upgrade without thinking about the consequences this might have.
I don’t promise everything at all
Fairphone does. And they managed it until now to deliver upgrades and updates even longer as they promised in the beginning e.g. for the FP2. I have no doubt they are able to deliver updates for FP5 until 2031 as promised - especially since the new Qualcomm SoC has a long term support which is a huge advantage.
Please read the post I have linked above. It’s explained there why - sadly it’s not really possible in todays industry for Fairphone…
Well, in the first place Digitales Amt has a very bad/broken security flow which is discourage by Google itself. There are almost no other apps which only support biometric unlocking mechanisms (which are also from a security standpoint not secure at all)
But as mentioned in the linked post above, there are still possibilities to login into Digitales Amt by using a hardware key
I agree that this it could be solved better, but I am under the impression that some people misunderstand what this app does:
- You use this app to perform official government functions in Austria or sign something digitally in a way that is binding by law. For signing anything with your private certificate you use your username and signature key first.
- Before something can be signed with your official private certificate, you must then use the App DigitalesAmt as a second factor. For this you have to use biometric data. Only then will the requested action actually be performed. This is where the ‘fingerprint only’ part comes into play.
- Even if you perform any action in the App directly you still need your signature key as well.
I guess the developers (or officials making the security policy) thought, that if both factors were using freely choosable passwords, the risk that a user would use (almost) the same stupid password for both would be to high. Ant honestly - that reasoning is somewhat realistic after all. Wether an app on a smartphone should be used as a second factor for such a thing in the first place is a different discussion alltogether.
Also for those who care more about security the second factor can also be a YubiKey. Not being able to use the other functionality of the App however would still be very inconvenient on mobile, as the web portals are not exactly made for mobile use. So to perform some official action online or make a digital signature compliant to EU regulations for such as well as the austrian signature law (‘Signaturgesetz’), you will effectively need to use a different device in such a scenario.
This is the reason because Fairphone will improve the mainliane effort. Untill they run proprietary software there eill be always programmed obsolescence.
To be honest it would be great if the YubiKey could be used as a second factor in addition to the password on mobile.
This would hit two birds with one stone. Firstly it would resolve the reliance on biometrics and also resolve a possible issue older people might have with biometrics as well.
Please feel free to correct me if I am wrong about the YubiKey being usable as second factor on mobile.
But that discussion is quite far off topic even if it is interesting to discuss and speculate.
2 posts were split to a new topic: Fingerprint not able to unlock on A13 with parental control
How to stop the Android 13 update when it was paused
The Fairphone team had the great idea to push the update with a popup instead of a push notification. I thought this update was a Google Play update regarding the app I was using in that moment and quickly clicked “update”.
The Android update was paused because I have the battery saving mode switched on. I do not want to update to Android 13!
How can cancel the ongoing update. It didn’t start to download anything nore install anything.
Thanks for your help
I was wondering if the ‘issue’ (rather: fix by Google in Android 13) is related to this research Arxiv: BRUTEPRINT: Expose Smartphone Fingerprint
Authentication to Brute-force Attack which was mentioned e.g. here Chinese onderzoekers bruteforcen vingerafdrukscanner Android-smartphones - Tablets en telefoons - Nieuws - Tweakers anyone know?
Well, it appears google has lowered the security rating for the fingerprint sensor used in the FP3 with the release of Android 13 - the initial release of which predates the arxiv upload date of the paper you linked by several months.
That being said, I would not consider it absurd that google had prior knowledge of this attack and took this into consideration when changing their security requirements. Especially when considering that the bounds on the FRR and the FAR required for security level 2 (which the sensor is rated at now) are the same as those required for security level 3 (which the sensor was rated at before). They only differ in the requirement for its SAR (which also poses a lower bound on its IAR). After all the SAR/IAR are the best generalized indicators we have to express how vulnerable a fingerprint sensor is to bruteforce attacks in general.
3 posts were split to a new topic: Downgrade from A13 to A11
From another thread:
Perfect. Thanks. Hope that prevents it from upgrading!
Gosh, I really wish I had gotten some information about this problem before I was offered the update. Fairphone regularly sends me e-mails to ask what I think about their device, but informing me about this crucial problem was unfortunately not on their radar it seems. Very annoying situation.