Starting with Cryptomator for Android version 1.5.8 we support in addition to “Fingerprint” other biometric authentication mechanisms like face unlock using the Biometric authentication library of Android .
Hello! I just wanted to say that I am not sure how exactly you plan to implement this feature but biometrics are generally the equivalent of usernames, not passwords that should unlock stuff. Using biometrics (i.e. face, iris, fingerprints etc, that are literally public info) to unlock stuff is something that has been incorrectly implemented many times in the early days of this technology.
Of course there are still valid use cases of using biometrics as passwords in certain situations e.g. where people are very likely to use a very weak password. In those cases using biometrics as password might be a better solution because despite being public info biometrics are relatively harder to fake or steal than to break a very weak password. I do not think the cryptomator userbase is that kind of userbase (at least I hope not!), I think they are probably using strong passwords.
But I have to admit that using strong passwords on mobile might be hard unless someone is using NFC-capable hardware keys and password managers, so biometrics is a convenient solution there. But please note that the correct implementation might be e.g. in combination with some kind of anti-coercion PIN. Keep in mind that you can be legally forced to provide your biometrics to unlock stuff, e.g. at airports or anywhere else (with severe consequences if you don’t), but you cannot be legally forced to provide your passwords (not sure about PINs but I assume they fall under the password category).
Another excellent way to use biometrics is as support of a much stronger protection feature that has disadvantages in specific circumstances. E.g. imagine using hardware keys in your secure private space without a PIN on the device: it can protect you from hackers on the internet but cannot protect you from an “evil maid” scenario that can use your hardware key to login. There a combination of biometrics and a hardware key is both a great convenience and probably even more secure than just a PIN.
Anyway, I am neither a security or legal expert so please correct me if I am wrong or if my comments are not applicable to your planned implementation. In any case I would recommend adding a message with some basic info when someone tries to set up biometrics to unlock their vaults.
You’re not wrong. Using biometric authentication means storing the actual key on the device. It is merely a convenienve feature, if you trust your device, certainly not a replacement for strong passwords.
It may vary what you use Cryptomator for. It will still offer the same level of protection in case of cloud data breaches. But of course you’re right about the “airport” scenario.
We will of course implement this as an optional feature and give our users the option to enable it per vault.
In my opinion, the main question is what kind of security target you have or you want to fulfill using Cryptomator, in this case especially Cryptomator for Android. Every user can only answer this question for him/herself and can then decide if a feature like biometric authentication violates this target or not.
It depends on the country you are in. In Germany, for example, it is not allowed to force you to unlock your smartphone with your finger or face. In other countries it is quite different.
We’re planning to support hardware keys in the future but it will take some time until it will be available.
Yes we’ll discuss this. I think it should be already clear what the consequences is for the user when enabling this feature, that e.g. someone using your finger/face can unlock the vault when you enabled it before but we will discuss this, thanks for this point.
We will also think about optionally using the last x characters of the vault password in addition to the fingertip/face, that would indeed increase the security.
As @overheadhunter already mentions, for some users this decreases the security target. We try to store each vault password in a secure way by creating a key, storing this key in the keystore and using this key to encrypt/decrypt the stored vault password. Furthermore this key can only be accessed using Cryptomator for Android and after authenticating against the operating system. But as discussed it doesn’t protect against forcing you to unlock the vault by using your finger or face.
To answer the question for myself: I personally would not store any data related to my fingerprint or face in my phone even when I’m using GrapheneOS without any Play Services and even when in Germany officials aren’t allowed to force me to unlock the phone using my fingertip or face. Entering a (in my case >=10 character) password on every unlock of the phone sucks and that’s imo one of the reasons why a lot of people define other security targets than I do. To unlock vaults I use a password manager together with the keyboard of the password manager.