As far as I found out, this is a “feature” of Android 9, and it happens at least every few days and when rebooting. The Android PIN and not SIM PIN, which can be disabled or enabled.
This is annoying, and I consider the fingerprint secure enough and would disable asking it for a PIN if I knew how. It seems you can only disable any security completely, what I also don’t want to do. It should only be an alternative when the fingerprint does not work for some reason.
I hate forced security, and I also don’t need a PIN for my bank card when going shopping for less than 25 euro.
Any possible workaround / solution? Will this be gone when there will be an alternative OS?
The FP3 is encrypted by default, which means on first boot you are required to enter your PIN to unlock. It’s a security feature and as far as I can see not something you can turn off. As a further security feature, if your fingerprint doesn’t match a number of times it will prevent you unlocking using fingerprint until you’ve unlocked by your PIN.
Although you say you’re not required to use a PIN for your bank card, actually new security measures implemented across Europe mean that you must validate purchases through card presentation (i.e PIN) after spending an accumulated total. And further rules are coming into force which mean there is greater friction with online purchases (such as using PIN or fingerprint within your banking app or using one time codes).
The point I’m making is that security is being tightened up, and it’s something we need to get more used to in general. I’m personally not sure why entering your PIN after reboot would feel too much like a chore (I use fingerprint as my primary method too).
They already implemented that you have to enter a TAN in additon to logging in to your E-Banking once every 90 days (?). But not every 3 days. If it concerns me personally, I would like security to be optional. But looks like I have to live with an increasing numer of annoyances, like cookie warnings on every webpages required by law.
However, the requirement of having to enter your PIN (or master password) can be a minus when you’re not able to cover your input or output device (input e.g. touchscreen, keyboard; output e.g. screen).
An adversary can very easily peak behind your shoulder in such a situation, as can a camera. An adversary can also easily construct a fingerprint off your device though, and faceID has been circumvented by paper mache (in a simulation ie. with consent of the victim though).
It is a reason why I consider a properly implemented touchID or faceID more secure in some situations.
That being said, the most secure device is the one with no data, and the second most secure one where the disk encryption is locked due to a (re)boot.
If someone is concerend about the phone being stolen/lost and wants extra security, nice. But I definitley don’t want to and will hate this “feature” until there is a way to turn it off. It is also possible to remotely lock it when I find out it is missing.
And good point that someone could see me enter the PIN in public (on public transport would be an especially bad situation). It can come up any time of the day with no warning.
I’m not interested in a furter discussion about this, thanks. I’ve heard “that cannot be done for security reasons” too often. At least not a Fairphone specific problem.