As we know the master password is very clunky on mobile device due to length, small keys on mobile, and swiping disabled during password entry. Cryptomator mobile app (at least on Android) provides a great alternative of biometrics (typically fingerprint) to unlock. That’s great, but maybe not ideal, for two reasons:
- biometrics (fingerprint) is the same method used to unlock my android phone. if someone can somehow figure out a way past the fingerprint to get into my phone (either software trick or stolen finger print through social engineering), then they can also get right into my cryptomator vaults. Two series barriers of the same type (biometrics) don’t really add protection. Diverse barriers are much preferred.
- Also for those concerned about law enforcement, law enforcement can generally compel biometrics, but they cannot compel pins and passwords (or at a minimum you can plausibly claim they are forgotten)
The pin solves all of these problems. Pins don’t have a lot of entropy, but you don’t really need that, as long as you simply log the user out of the vault after a certain number of incorrect pin attempts (requiring master password to get back in after too many incorrect pin attempts). Bitwarden mobile app does that, they allow 5 incorrect pin attempts and allow user to choose the pin length. That means even with a 4-digit pin the attacker has only a 1/2000 chance of guessing the pin before getting logged out. A four or six digit pin doesn’t take much more time to enter than a fingerprint (the large keys on numeric pin entry screen are much easier than the tiny keys on the alphabetic keyboard) but it is arguably much more secure than biometrics since it represents a different challenge method than the one that unlocks your phone. And if you’re concerned about law enfrocement, they can’t compel you to remember a pin.
As an alternative to a per-vault pin, it could be an app pin (you can’t even open the app without a pin). Whichever is easier to implement as far as I’m concerned. [EDIT, now that I’ve written that I’m recalling there may be others ways to set a pin on android apps… I’m going to look into that and will report my results back]
I realize I could use a PIN for my Android phone to get the diverse barriers I’m after, but I unlock my phone far more times during a day than I do my cryptomator vault, so I’d rather keep the phone as fingerprint unlock and put the pin on cryptomator.
That’s just a thought. I searched and didn’t find a similar suggestion (I apologize if this is a duplicate).
Cryptomator is some great software btw. I’m definitely making good use of it. Thanks to all those who make it possible.