Voice password to unlock phone/apps

While I generally dislike the voice password idea, I can see how it can be useful for you to protect from a simplistic thief. Imitating one’s voice is admittedly harder then typing in stolen password. And convenience is undeniable.

That said, I’m guessing Librem 5 will not have it in the near future.

2 Likes

So if you wake up some morning with a sore and scratchy voice (maybe an active off of your normal tone), are you just locked out until your voice gets better?

2 Likes

I’d like to echo that while I agree voice as authentication is flawed, using voice for identification while also using the spoken passphrase as authentication has a certain appeal.

I also think dwaff hit on an important point of this being reasonably good security against an unsophisticated attacker which I think is the more common attacker for the majority of people.

For the concern about loss of voice/scratchy voice/etc you could have a more complex written passcode to enter as an alternative this allowing the choice of which authentication method to use at the time of unlock.

I wonder if you could do something with the hardware buttons to unlock the phone? Like power > volume up > power > volume down > volume up > power or something?

1 Like

Presumably there would be a vanilla entered password alternative.

The beauty of the Librem 5 is that, as far as I can see, there are no technical obstacles to having that functionality today (well, other than that most people don’t have their phone yet) so if @veleno wants it today then perhaps a PAM module will do the trick.

When I talk about technical obstacles though I am only talking about unlocking an already booted phone. I don’t think we’ll see the LUKS / Librem Key boot unlock via voice recognition any time soon. :wink:

Once again though I would not use this functionality myself - for all the reasons discussed.

2 Likes

This is a problem. Not only by people around you but with video (both CCTV and mobile phones and anything in between). And it’s not even needed to see the screen as the pin entry is done with a static (always identical) numpad. I’ve also previously suggested ideas to make typing more safe and login more secure - options for the user to select which they would like to use. Audio/voice is not the only one. A pad that changes randomly, a full keyboard instead of numbers, hidden [invisible/unmarked areas for] keys/touches, adding rhythm/frequency/timing as part of the access key or possibility to make the pin/login dynamic depending on the time or something (a variation of a group of PINs depending for instance wich hour it is or is the minute odd/even etc. - make it as complex or simple as you want) - or even having a PIN+voice option (one or both could have dynamic variation). What @Gavaudan mentioned about the hardware keys could also be an option, but it could interfere if user is using services (or even login options) that require location or network in the background. Unfortunately I’m not an expert in this field and something this critical I’d rather see taken up by the manufacturer.

Btw. outside of these, there is also the possibility of using Librem Key for login too.

This is fairly standard. Internet banking has had this for decades i.e. specifically where you are just entering a numeric PIN.

It doesn’t even need to be cryptographically strong randomness. However, ideally, the pad would randomise before each digit. Would users tolerate that? (That isn’t a major objection though because users should always be free to choose between a) randomisation before each digit b) randomisation only on initial presentation of the pad c) no randomisation.)

You’ve given lots of good ideas for unlock security - but maybe the phone needs to get out the door first. There will be plenty of time for strengthening the unlock afterwards. As they say, Il meglio è l’inimico del bene.

1 Like

Weeelll… philosophically speaking login by default could probably always be seen as an imperfection - after all we are entering (making a hole, creating an exception, an imperfection to the system to allow entry) and changing the state of something. :classical_building::thinking: So, good enough is what we will always have. I just hope we could have better, sooner - rather than later.

But other reason to push these ideas is, that until now there really hasn’t been a device where they all could be implemented (or the ecosystem/company behind it wouldn’t), and that the PIN-code-to-a-keypad is an idea that is based on decades old analog/mechanical idea that clearly has vulnerabilities, especially in today’s world and in phones. And besides, it’s not only good from security and safety standpoints for the user to be able to define what they use and what matches their risk profile, but also what works for them from the usability side as well.

Btw. I like your addition to the numpad randomness (a/b/c).

Yes, it would be much more secure if you couldn’t log in at all. :joy:

Do you have coding skills? The intention of open source is that you can pursue these ideas yourself if you are not satisfied with the default PINpad security. Who can even say at this stage what the default security is?

1 Like

A perfect system would be completely stable, secure, unchangeable, unusable and unpenetrable - a work of art that you only admire from the outside :star_struck::face_with_monocle:

Unfortunately my coding skills are limited and as i said, with something this critical I wouldn’t trust me even if I could cobble something together.

There is that. However if you made it open source at least you could have it reviewed by many pairs of eyes.

1 Like

so if you COULD admire it from the INSIDE would that mean that the above given definition would change ?
to me admiration can be done BOTH from the inside or the outside but if it is done from the outside ONLY one would need to take that with a pinch of salt … kinda’ like closed-source :wink:

I’ve got it! Use a tongueprint and lick the screen to unlock the phone! : P

I think I’d like a highly configurable login method. For example, you could have security “modules” (like password, voice, face, fingerprint, hardware buttons) and you could have rules for what can unlock the phone. I might want a simple swipe + face in the morning, but a hardware + voice + fingerprint in a crowded place. So either combination can unlock the phone, but only if it is registered. And you could even add a blacklist, although I don’t know how useful that would be.

1 Like

Ew. Just make sure that everyone keeps their phones to themselves. COVID anyone? :slight_smile:

2 Likes

I have a friend who’s elderly father died from Covid-19. Living near Philly he was very careful he would wear his mask, he would wear his latex gloves everywhere. He would wipe down all used surfaces with Clorox wipes. But he would use his cell phone in public through the mask.

It was determined that at least once, he forgot to wipe down his phone after he got home after he removed his mask and gloves.

3 Likes

retinal + fingerprint + DNA + passphrase + PIN + voice + UFO = perfect unlock procedure

how long would that take ?

Still hope for the BB OS 10 picture password functionality to get revived some day in the future: https://www.youtube.com/watch?v=ucpQ_0iHrWg

1 Like

Care to describe to us how that works from a user perspective?

Of course! When setting it up you choose a picture you like which acts as the background during the unlock process. Then you get a matrix with randomly distributed numbers from 0 to 9 which acts as a layer above the picture. The key is like one number (e.g. “6”) which has to be relocated to a predefined place in the picture by dragging the screen. I hope that’s understandable, if not feel free to ask again or watch the YouTube Video. :slight_smile: The main advantage over Androids pattern unlock is that the number matrix gets randomized every single time you try to unlock your phone - so it’s basically impossible to spy your unlock pattern. For more security, someone could just implement a second number without telling you that the first one was right.

2 Likes

It may be difficult or impossible for a shoulder surfer to get your “Blackberry picture password” from one unlock event. However isn’t it the case that with two unlock events the odds reduce in favor of the shoulder surfer (if she has photographic memory) and with three unlock events the odds reduce further in favor of the shoulder surfer and so on?

If the shoulder surfer is the surveillance cameras that are ubiquitous in today’s cities then you can assume photographic memory.

So if using picture password frequently in public then you may need to change the picture password proportionately frequently.

1 Like