Something new (as in: “I haven’t seen one of these in the wild before” - not all of them), since before this there hasn’t been need and possibility to have this: a more advanced login features / options resisting meddeling. (working title: MALFORM [it took a couple of minutes ] )
A couple of caveats:
- I have no idea how to go about getting these features
- I have no idea how to make this into a viable projects
- I have no idea how difficult it would be to implement these
- I have no idea how difficult it would be to implement these in a way that is secure
- I only assume that there could be interest to this (especially more so after it’s offered)
- I only assume this might be a Purism thing to implement, since this seems more L5 specific, even though some of it could be implemented elsewhere [at least partly via PAM-mechanism, as @ruff points out]
My only hope is that someone somewhere finds this interesting and makes it reality.
Preface:
I’m not sure how the login and lock screen works in L5. I’ve half heartedly asked but gotten no real detailed descriptions here at the forum (probably no one to give a good answer here). Atm it might be still be polished. Login I equal to desktop linux login (username/password) and expect that to be needed when phone is booted (reboot, power on as well as sudo/admin level). Lock screen, as I understand it, is supposed to be opened with a PIN, for convenience (screen lock via timer and/or manual/software switch). PIN is a number, that has been reported (unfortunately I did not find the source again) to be max 6 digits (unconfirmed and possibly temporary).
Login is decades old method from desktop side. Works well if you are in private and can maintain secrecy of the pair. PIN is based on old security tech (number key pads) and is what was used in GSM when it came out in the 90’s. It was thought to be enough for the SIM but soon as separate PIN was needed to secure the phone. As a feature, systems usually lock after enough false attempts (permanently or for a pre-set time) or in some cases can make the system dead (delete encryption keys or otherwise make it unusable - requiring new installation).
Thought:
I find these somewhat adequate but want more because this is the old way. The Librem 5 is new type of tech (in that to me in this aspect it seems to have taken a half a step forwards further and crossed a line into a new territory) that genuinely should have more entry security to be balanced with its other security related features. A highly personalized and secure entry.
Level of convenience/security could and should be user set. And I mean more easily and more widely (and I’m limiting this only to entry - there are other security features to make other aspects more secure/insecure/convenient). I would not mind if the minimum default setting were already slightly above what “normally” mainstream users may have been accustomed to, but that is a separate issue. There are use cases, when disabling login and lockscreens temporarily are sane. The idea of “Malform” would be that there are more options to choose from. Especially regarding lock screen entry event.
Lock screen PIN has been limited to a number key pad, but with a touchscreen, that is… unnecessary. It could be any combination of keys in any order. A phone (or mini computer, as L5 really aspires beyond normal phone) is used in the public and what was not thought of way back, was the level of surveillance and video (not only sec cams / CCTV but also HD phone video). The simple movement of fingers (and the visible feedback of screen) is easily recorded and played back - and used after the phone is obtained by a thief (random opportunistic stealing or targeted hack to your network using you as the weak point) or even an official of some government. And this is only where the idea starts…
New featuresets to combine:
-
Option to have PIN more than 6 digits. Anything from 4 to 32 should suffice for manual use, but I’m not sure if some options could utilize a ridiculously greater number like 256 or 65000 which could be realistic in the future (I separate here the length from the possibly tedious/genius methods of entering such large numbers/codes - it’s up to user).
-
Option to enter PIN with other methods: a secondary device (USB-key, BT-proximitykey, WIFI network transmitted something), camera/imege read, phone movement interpretation via gyro sensors, etc. As in, something is encoded to numbers (PIN) according to selected schema/key.
-
If numpad (or any keypad) is chosen to be used, the option that the placements of those keys may be random. Not only in relation to themselves but optionally also on the screen (thinking wear and tear as well as oily fingerprints that help guess pin but also screenburn on a device that has longevity beyond a normal phone). As a group or floating individually [bonus funny: for BOFHs, keys floating randomly on the screen at various speeds]
-
Option to have several PINs for the same user. One for daily personal use, additional to give to trusted people (if that is what you want to do). These additional PINs can then be managed. Additional long and secure PIN could be needed as backup entry option if some fancy other optional method doesn’t work or has locked the phone.
-
Optional PIN management: limits when PINs may be used or if they need extra or if they need to be changed. Callendar set times/dates, location based (areas where a longer PIN or other security measure is needed), special dynamic or changing PINs etc. This includes a timer that allows to use a PIN after the phone has not been opened/used for a period of time (in case user no longer is available to open it - accident, death, fired from company, on extended vacation etc.). Combinations of these could also be used.
-
Dynamic PINs: PINs that change according to some logical rules that the user can remember/calculate. For example: depending on the day, week hour or minute the last/first digit(s) change from odd to even (0/1, that precise minute, date etc.) or the seed PIN is added/substracted/multiplied by that day of the week (1-7) etc. Also, as an only PIN or second PIN, a randomized list of pins (on a card or program) can be used if user want’s to set up some (DIY) additional ID-item. I read second factor authentication to this (although it surely could be considered as it’s own), as in Librem-key and others as a subsection to this.
-
Advanced entry actions: especially for duress situations, but for other use cases as well, a pre-selected variation in the PIN/login process or code could change the entry action. When entering PIN/pw - a dynamically changed or secondary (see above) - it could be used to force phone to immediately go dead (for instance delete keys) or play dead for a while (timer), or allow entry and start some function(s), like record audio/video, send location via SMS(s), call emergency number, delete folder “MyPlansToWorldDomination”, not mount /home, back up to server, throttle processor speed, play a fanfare tune, login to a chat, etc.
-
Advanced entry options (as in “PIN + this”) would be similar with some of the previous, but for clarity, are grouped separately. PIN entry could also require timing (certain rhythm or additional pause). The touchscreen could have an invisible key that needs to be pressed for the PIN to be correct or pressing it starts some action. Similarly the gyro could require some identifiable movement in addition to the PIN or another type to begin action. Location could be one as well (workphone only works at work - not during weekends). Physical keys could also be used in some fashion like the previous or entry could only be possible when one, some or all kill-switches are activated - or if they are not, some action may be done in the background.
So, in essence, just throwing this out there and hoping someday someone sees this interesting enough to make…
(And apologies for the long post) [edit: updated after comment]