Fingerprint unlock turned off if not used in 24 hours after upgrade to Marshmallow?!!!

[Matthew Potter]

I've recently upgraded to the latest version of Android and thought finally this will be great, as it has been with my phones. But it isn't. I don't use my tablet every day so i was horrified to learn that if not used within 24 hours of last use it turns off the fingerprint scanner and asks you to enter your unlock code. I like to have secure passwords, but I really don't see how this is a security feature. Is there any way to turn this off? I really cannot live with having to go into LastPass on my phone and then inputting my 16 key strong password to get into my tablet every time I use it. I didn't pay the price for Samsung's flagship tablet to do this!!! If anyone can please help as I can't find anywhere in the setting to turn it off. Thanks in advance.

Matt

 

[Aquila]

It requires a pin or password or pattern once, then resumes using the FPS. This should happen with the 24 hour scenario you described and on a reboot.

 

[Matthew Potter]

Can you please explain to me how a pin, password, or pattern is more secure than my fingerprint? And why this was introduced? Is it in case someone has stolen my tablet, cut off my finger and will use this. If it had been like this when i had bought it I would have returned it. It is so annoying.

 

[Aquila]

It's not necessarily "more secure", but two authentication is more secure than any single authentication.

Dual factor authentication in this manner is the same as your ATM card. You have to have the key (card, finger, fob, whatever) AND know a password or pin number to access funds, etc. Just having the key without knowing the access code is insufficient. Since these devices can potentially house your banking info, credit info, personal information, a large quantity of usernames and passwords, etc, and because of the presences of apps like Android Pay, Samsung Pay, etc. ... they literally can function as access to your assets.

It happens on reboot because of the encryption on the phone or tablet. The device cannot access the part of memory where your fingerprint (or any other bio-metric info) is stored until it has been unlocked and allowed to boot. It works the exact same way on all phones and tablets that have fingerprint sensors and Android 6.0 or higher and works exactly the same way in iOS.

The default setting in Android is 48 hours since the last time that you used the backup method. The actual logic of when you are required to use the backup method (PIN, pattern or password) is: (1) When your fingerprint isn't recognized after a few tries; (2) after restarting your device; (3) after switching to a different user on the device; & (4) after more than 48 hours have passed since you last unlocked using your backup method.

It sounds like Samsung shrank it down to 24 hours, probably because they feel it is more secure to use two factor authentication.

 

[Matthew Potter]

It isn't two factor authentication though so this is wrong. If someone has my passcode then they can just wait for 24 hours and then access my tablet. If they needed my passcode and my fingerprint i might be more forgiving, but they just need the passcode to get in. I thought the fingerprint scanner was the most secure, but since I don't want to use an easy to remember passcode, that is not advisable these days as a hacker might have access to what you might have i use a generated passcode as that is more secure. I can understand that after a number of invalid tries or even if the battery dies that it needs the passcode, but this means i have to carry around something that stores my passcode and this is inherently insecure. Even putting the debate about what is more secure or not aside for a minute. I want to be able to choose how secure I want my device. If I wanted to be told what I can and can't do with my device I'd have bought an Apple device. This isn't what I bought and this isn't the case with my other Android devices so this is something Samsung have done as part of their Marshmallow update. Why can't they just leave alone something that there is nothing wrong and people don't want or need? It is overengineering at its worst.

 

[Aquila]

Ok, you can probably look up how to install a custom Lollipop ROM or perhaps even the original software it came with on your tablet; or buy a tablet that doesn't use a fingerprint sensor. This is unfortunately how Android and iOS work.

 

[mikeytg1024]

The PIN is a quick way to get logged in. You only have 2 or 3 tries to get the pin right, then it reverts to the full password. Once in the fingerprint starts working again.

 

[Matthew Potter]

Sorry if I am missing the point here, but I have a device that has been working perfectly for over a year, to me there is nothing more secure than a fingerprint scan, although i do understand 2 point authentication is more secure, but this isn't that. I don't want to sound ungreateful for suggestions, but I don't want to install a custom ROM or revert back to the previous version of Android, I just want the option to login with how I previously have, the most secure method, and not a 4 digit PIN. As far as I am aware I can't use the tablet to use Android Pay, and even if I did I would want the most secure method to keep my tablet safe, the fingerprint scan. This is a flagship device, but it is making it almost unusable. On other devices, like my LG G4 phone, albeit without a fingerprint scanner, it doesn't invalidate my unlock method and ask for a PIN or passcode if not used for 24 hours so I don't think this is due to Android, but Samsung's updated version and I just don't understand why, and if so why it's not possible to disable this. I won't be buying another Samsung tablet. It took forever for the update to come and now it has almost made my tablet unusable. Thanks Samsung!!!

 

[Matthew Potter]

You do realise that your ATM card stores the PIN on the card itself? This is how it authenticates. So a criminal with your card can get hold of your PIN quite easily. So it isn't really dual factor authentication. Dual authentication is more secure, but I don't want it on my tablet. I'm not going to use it even if I could, which I'm not sure is possible. If I install Android Pay or Samsung Pay on the tablet then maybe i'd understand it doing this. But I haven't so I don't see why this is necessary. To get into my tablet i now have to have my phone handy so I can open LastPass, log into there, view the passcode, and input it to my tablet. It is all very unnecessary.

 

[Aquila]

The 4 conditions I listed are the minimum settings for androids implementation, everything that's using those APIs is that or more strict.

 

[Matthew Potter]

I understand what you are saying, but the whole reason I went for Android is that it gives you options to configure the settings to suit your needs, and although a little hesitant about Samsung, mainly on their update frequency even on flagship models, I still went for it. This has taken something that there was no problem with and made it less secure and almost to the point of unusability. Either I choose a password that is memorable to me, which will probably mean it is memorable to someone else too, or I have a safe password which means it makes the tablet almost unusable without a lot of hassle of having to look up the password on a second device (what would happen if that device needed the same option). I am very pissed off. I have no option to turn this off as well. Maybe this works on mobile phones, which you use every day, but this isn't the case with tablets. I want control over the security of my tablet which I have had in the past. Is that too much to ask?

 

[CMSevilla]

I'm trying to understand your frustration, and I guess I sort of get it? But perhaps it's one of those "1st world problems" kind of deal where yes, something isn't working out your way and you feel you ought to complain about it, regardless of the points already given to you in this thread.

Remember, not even a few years ago fingerprint readers weren't even a thing on most tablets/phones. Now they are a hot commodity every electronic MUST have. I guess the question is how insecure did you feel 3 years ago when you didn't have a fingerprint reader and just a pin/pattern/password? It's no different. And honestly, if you're THAT concerned about your tablet's security then maybe get an Apple which offers a no security compromise (or so they claim) deal where if you don't access/secure/unlock it a certain way, all your data will inevitably be gone. You claimed you wanted Android for options, and that's fine, but the more options you have, the more options anyone desperately trying to access your data has as well. It's much easier to root/hack an Android device than an Apple device and exploit data. I use my tablet daily and yeah, it's a bit of an inconvenience, but I deal with it and it's no big deal.

Just food for thought.

 

[Robert Ratskywatsky]

My fingerprint turn on doesn't work at all since the so called update. I set it for FP start with pin backup, but every time I start it it demands my pin and no fingerprint. It gives me the message that it needs my pin to protect my firngerprint whatever that means. It's another thing that doesn't work good since marshmallow. So often nowadays upgrades are really downgrades. Why is that?

 

[Robert Ratskywatsky]

The only time FP turn on works is when the tablet is already on and I shut off the screen and turn it back on. Then the FP thing works good.

 

[mikeytg1024]

Mine will always ask for a PIN if I shut it off, but if it goes to sleep it asks for a FP when you wake it. I think that is intentional, somehow for security.

 

[BullwinkleMoose]

Mine will always ask for a PIN if I shut it off, but if it goes to sleep it asks for a FP when you wake it. I think that is intentional, somehow for security.

____________________________


That's what mine does too now since the "update" to Marshmallow. So how is that for security if I can't even use my fingerprint to start it up?

 

[Wojciech Sura]

I'm seeking to disable the password too. Generally entering password each time device boots, shuts down or after 24 hours of inactivity is so annoying, that I'm thinking of disabling the FPS altogether.

You know the saying? Security with the expense of usability comes with the expense of security.

 

[gtt1]

I am looking at buying an S2. Curious about the setup. Can I not just have it so that if it is in a case it just opens up where I left it as my current Samsung 8.4 does?

 

[bgoodr]

This is also showing up on a brand new Samsung Galaxy Tab S3. If I have to type in a password every 24 hours, you can guarantee I'm going to use something that is memorable both to myself and to a potential attacker that's looking over my shoulder and watching me type that very same password in every 24 hours. I do not understand how this can be an improvement in total security than a single request for a single fingerprint.

This is incredibly obnoxious. For the first time, I am now forced into considering rooting this tablet just to get rid of this behavior.

 

[walt98]

It requires a pin or password or pattern once, then resumes using the FPS. This should happen with the 24 hour scenario you described and on a reboot.

He didn't ask you to tell him how it works. He, and millions of others, want to turn the feature off. And we don't want a lecture on why this system is good. We simply want to turn it off. Period. End of story.