[coeos]

I've used Secure Folder and thought the concept is great, until I understood how easily anyone could get around it. If I lose my phone, the person can just click on "reset password", then "Forgot your password" under the Samsung account login. He'll receive an email, directly on the stolen phone because I have my email accounts set up on it (like all of us do), so he can reset the Samsung Account, and then reset the Secure folder password. Even the 2-step authentication on the Samsung account is useless as it sends an SMS... to the stolen phone. So in sum, if you have access to my phone, then you have access to my Secure Folder.
Am I missing something, or is there a way to shut this loophole?

[Ecm]

The very first step is to set up a secure password (plus, optionally fingerprint, iris scanner, facial recognition) for access to the device. This prevents anyone accessing your email or SMS on the device. They have no way of resetting the password. Even a device reset wouldn't help -- your Google account credentials are required after a reset.

[GRUNT11B]

If someone steals your phone how would they unlock it in the first place? And not only that you can lock it or wipe it using your Samsung or Google account anyway.

[coeos]

Thanks for your answers, but my point is that Secure Folder doesn't add any extra security, because it's just as safe as your standard phone unlocking security. So if your phone is safely locked, then you don't need Secure Folder, and if it isn't, then Secure Folder won't help either.
Potentially you could have your phone stolen while it's still unlocked and it that case Secure Folder won't add any meaningful security - any amateur can do the reset.

[strikeIII]

Secure Folder adds Samsung Knox for added encryption. Even with your phone locked someone can still potentially get your data but the added encryption from the Secure Folder makes it even harder to get.

[chanchan05]

Uh, someone could theoretically pull the flash memory off the motherboard and access it independently of the phone, at which point your phone lock is useless. However the thief would not be able to access the encrypted data.

[Jason Fournier1]

Secure folder has other use cases. Like when someone borrows your phone to watch something, your sensitive information is locked away.

[anon(10509789)]

I totally agree with coeos, and all the message after his are completely missing the point.

[Mmira]

I totally agree with coeos, and all the message after his are completely missing the point.
There is no point of adding a layer of security (for whatever reason it could be the need) if then there is a (practical and easy) workaround.
For everyone that fails to see an issue here, the secure folder app itself has no reason to exist, since its own purpose is completely missed.

I found a very non elegant solution, that seems more like a bug than a solution.. but so far it seems to work:
-uninstall the existing secure folder app (in "more settings")
-log off from your Samsung account
-create a new temporary samsung account, with a secondary mail (not logged on in your phone)
-log in, and re-install secure folder
-once the secure folder is set up, go back to accounts and switch to your old one.

Now for some reason the reset password tool of secure folder will keep asking you for the temporary account's credentials, as if it is not recognising the Samsung account currently logged on your smartphone.

As long as the access to the secondary mailbox is protected by a password also with the device unlocked, you should be fine. Unless they will change the app behaviour with an update.

Of course be aware if the recovery email or the recovery phone number for your secondary mailbox are the address or the phone number you are currently using on your device. In that case security is going to have a hole too.
And also, if using a temporary email for the temporary samsung account, don't delete the mail account, or it will be available for use, and to enter in your secure folder it will be needed just to create a Samsung account using that same email address.

[mark7914]

One of the first things I did with mine was to turn off the display of content of notifications on the front screen.

So it shows, for example, an SMS icon when I get one, but it doesn't help a thief out by rendering the content of the SMS providing the reset or unlock code in a "preview" without them even having to get into the phone.