Is it secure to use Fingerprint in Cryptomator for Android?

For unlocking a vault via Fingerprint (as well as storing WebDAV credentials), Cryptomator uses the built-in Keystore. Cryptomator generates an encryption key by using KeyGenerator with the requirement of user authentication. With this configuration, the key is only accessible by authenticating the user against the system using fingerprint or the system password and above of all, only for this application. Android is handling access to the key. Using the key without authenticating the user, the operating system will decline the access.

In summary, Cryptomator uses the recommended Keystore and Fingerprint handling by Android. It depends on you if you trust the Fingerprint service in Android. If you have security concerns, continue using the password mode.

2 Likes

I have some concerns about the security of Fingerprint in Cryptomator.

I have a fingerprint on my phone. I use it to unlock the screen and authenticate apps like LastPass and 1Password. I also use it to log into my bank account.

In Cryptomator, though, I don’t think it’s secure because:

  1. I can’t change the password or re-enter it after changing it once. So if someone steals my phone and finds out my password, they still have access to all of my encrypted data. (This is true for password managers in general.)

  2. Fingerprint readers aren’t so secure that you should rely on them for anything sensitive like your bank account login or your LastPass master password (which has been exposed in the past).

@sandersbud4 I’m sorry but I don’t really understand what you are trying to say, can you please elaborate a bit so I understand what you mean?

Oh sorry. I meant to say that I am not a fingerprint user because of security reasons. I am a guy who prefers password mode. However, it will be completely not fair not to support your efforts.

Personally, I don’t have biometric authentication set up on my phone either, but I understand users who don’t want to enter a password with more than 10 characters every time they unlock the phone, and then another one to e.g. unlock the vault. Security is always a trade-off with usability, and only everyone can answer for themselves where the “pain threshold” is.

I was just confused because I had understood you to say that you use it for mobile, LastPass and also for your bank account, but then write that it is insecure to be used with Cryptomator. And later your write that it is insecure in general so I was a bit confused :sweat_smile:.

But now it’s clear, your concerns are generally regarding biometric authentication, which I fully share :slight_smile: especially the fact that you can’t just swap your fingerprint or face if it’s been exposed…but as said in the beginning, everyone has to work out this trade-off with themselves, instead of using the fingerprint, 1234 as password is not a solution either…

1 Like

Another problem with biometrics is at least in the U.S. is that it can be used to require you to unlock the device, it is something you are not something you know. If it was something you know then you are protected from unlawful search and seizure but because it is something you are they don’t have to seek your permission (approval/warrant) and can require you to comply.

I’ll rehash some old ground (already captured) in terms of feature suggestion, but maybe it has some relevance for op as well.

The feature suggestion is Extra Password for the app-unlock process

When using PIN unlock on mobile, a long PIN is not needed for security as long as there is a limit like 5 incorrect attempts before the PIN is blocked and full password is required (like how Bitwarden mobile implements it). From my simplistic view, it seems like an obvious way to maintain both high convenience and high security on mobile, but I may not understand the full security impllications or the resources to implement it

At any rate, the potential practical part for the op while we’re waiting for the feature to be evaluated, I found there are 3rd party app lock pin products that can be used instead to roughly accomplish the same thing. I discussed how I use Norton app lock in my post at the end of that thread (there are some ins and outs that I won’t repeat, I suggest read my comments if you’re interested).

Biometrics are NOT secure in the US. You can be forced to provide that biometric. However, you cannot be compelled to reveal the contents of your mind (password).

Your device can be cloned and then they have unlimited attempts.