Home > Smartphone

Android phone suddenly asking for a password? Here’s why

The Techtellectual is a reader-supported website. When you buy through links on our site, we may earn an affiliate commission at no additional cost to you. Learn More

Ever notice your Android phone randomly disable biometrics, forcing you to enter a password or pattern for “additional security.” The phrase says it all, but entering a long password or complex pattern to unlock your phone can be frustrating when you are in a tricky scenario.

Passwords, patterns, and PINs are more secure forms of authentication than biometrics, and this is the reason behind having to set up or enter your password before even registering biometrics.

So why the seemingly random call to enter a password? Does it depend on how often you use your phone, or is it a clever trick to help you remember your smartphone?

Levels of biometric unlock security

The answer lies buried deep in the source code of Andriod. Biometric authentication is categorized into three classes numbered 1, 2, and 3. Android operates on a series of rules and signals from the environment to decide when it is time to disable biometrics to prevent unauthorized access to your phone.

The levels or classes of Android’s biometrics are determined by their performance against security threats. Three metrics described below are what determine the class the biometric falls into:

  • The Spoof Acceptance Rate (SAR) measures how easily the authentication method can authorize a previously recorded sample. An excellent example of this was the “Voice Match” feature through which a “Hey, Google!” recording of the user could be used to gain complete access to their Android device.
  • Imposter Acceptance Rate (IAR) defines how easy it is to unlock a device through biometrics by mimicking the user. In this metric, the biometric input is that of a person and not pre-recorded.
  • Finally, the susceptibility of the biometric to falsely authenticate a random, non-targeted input is measured through the False Acceptance Rate (FAR) metric.

Both the biometric hardware, like fingerprint scanners, and software used in Android smartphones undergo testing by Android Biometric Security Partners to determine the mentioned values.

Timeouts for different biometric levels

A set of constraints are defined for each class of biometrics. These deal with the time before the phone reverts to a primary authentication method, like a password, pattern, or PIN, or whether an app can allow the biometric to authenticate the user’s access to sensitive data.

Fingerprint Readers are classified as Class 3 biometrics
Fingerprint Readers are classified as Class 3 biometrics. Photo by Lukenn Sabellano on Unsplash

Class 3 biometric sensors, like the under-screen fingerprint sensor on your smartphone, have the least constraints applied to them. The source code mentions a fallback period of 72 hours before a primary authentication method is required to unlock your device. These can also be used to open and authenticate actions in apps.

Face unlock setup screen in a smartphone
Face Unlock is generally classified as a Class 2 Biometric. Image Credits: Google

Biometrics in the class 2 category, like Face Unlock, have a timeout of 24 hours before requiring a primary authentication. Older fingerprint sensors can also fall into this category.

Some biometrics known as Trust Agents, commonly found in the Smart Lock section of your phone’s security section, cannot unlock your phone but can keep an already device unlocked for longer. These may be type 2 or type 3 and can keep your smartphone unlocked and idle for a maximum of 4 hours or 3 incorrect attempts before returning to primary authentication.

Timeouts are set because they are long enough for bad actors not to have the time to replicate your biometric data and gain access to your phone.

Password after reboot or lockdown

A common occurrence of biometrics being disabled is when you restart your smartphone. If your smartphone is encrypted, most core functionality, like phone calls and alarms, will be restricted until you enter your password. Android smartphones also have a setting for enabling a lockdown option in the shutdown menu that disables biometrics and trust agents after a reboot.

We hope you understand how your Android smartphone can suddenly force you to enter a password instead of biometrics. These are an essential part of what keeps your phone safe from unauthorized access by impostors or methods like spoofing.

Interested in setting up your smartphone to be less distracting? Check out our guide on the best minimalist Android launchers to free your time.

Share on:
About Paul Jacob

Paul’s journey with computers began over a decade ago when he started tinkering with 3D modelling in SketchUp (back when it was owned by Google!). Wanting to learn more about what goes on under the hood, he began tearing down any PC, laptop or smartphone he could lay his hands on. His adventures led to the bricking of a smartphone, but over time allowed him to repair and spare gadgets from becoming e-waste. He is a Mechanical and Physics graduate from BITS Pilani, and has been in the tech journalism industry for the past 5 years. He also is active academically, having published a paper in BMEL. Today, you can find him tinkering with HPCs in his homelab to get the maximum performance in CFD simulations, or fine-tuning his heavily modified Ender 3 printer for the maximum speed.

Comments

Subscribe
Notify of
0 Comments
Inline Feedbacks
View all comments