Ever notice your Android phone randomly disable biometrics, forcing you to enter a password or pattern for “additional security.” The phrase says it all, but entering a long password or complex pattern to unlock your phone can be frustrating when you are in a tricky scenario.
Passwords, patterns, and PINs are more secure forms of authentication than biometrics, and this is the reason behind having to set up or enter your password before even registering biometrics.
So why the seemingly random call to enter a password? Does it depend on how often you use your phone, or is it a clever trick to help you remember your smartphone?
Levels of biometric unlock security
The answer lies buried deep in the source code of Andriod. Biometric authentication is categorized into three classes numbered 1, 2, and 3. Android operates on a series of rules and signals from the environment to decide when it is time to disable biometrics to prevent unauthorized access to your phone.
The levels or classes of Android’s biometrics are determined by their performance against security threats. Three metrics described below are what determine the class the biometric falls into:
- The Spoof Acceptance Rate (SAR) measures how easily the authentication method can authorize a previously recorded sample. An excellent example of this was the “Voice Match” feature through which a “Hey, Google!” recording of the user could be used to gain complete access to their Android device.
- Imposter Acceptance Rate (IAR) defines how easy it is to unlock a device through biometrics by mimicking the user. In this metric, the biometric input is that of a person and not pre-recorded.
- Finally, the susceptibility of the biometric to falsely authenticate a random, non-targeted input is measured through the False Acceptance Rate (FAR) metric.
Both the biometric hardware, like fingerprint scanners, and software used in Android smartphones undergo testing by Android Biometric Security Partners to determine the mentioned values.
Timeouts for different biometric levels
A set of constraints are defined for each class of biometrics. These deal with the time before the phone reverts to a primary authentication method, like a password, pattern, or PIN, or whether an app can allow the biometric to authenticate the user’s access to sensitive data.
Class 3 biometric sensors, like the under-screen fingerprint sensor on your smartphone, have the least constraints applied to them. The source code mentions a fallback period of 72 hours before a primary authentication method is required to unlock your device. These can also be used to open and authenticate actions in apps.
Biometrics in the class 2 category, like Face Unlock, have a timeout of 24 hours before requiring a primary authentication. Older fingerprint sensors can also fall into this category.
Some biometrics known as Trust Agents, commonly found in the Smart Lock section of your phone’s security section, cannot unlock your phone but can keep an already device unlocked for longer. These may be type 2 or type 3 and can keep your smartphone unlocked and idle for a maximum of 4 hours or 3 incorrect attempts before returning to primary authentication.
Timeouts are set because they are long enough for bad actors not to have the time to replicate your biometric data and gain access to your phone.
Password after reboot or lockdown
A common occurrence of biometrics being disabled is when you restart your smartphone. If your smartphone is encrypted, most core functionality, like phone calls and alarms, will be restricted until you enter your password. Android smartphones also have a setting for enabling a lockdown option in the shutdown menu that disables biometrics and trust agents after a reboot.
We hope you understand how your Android smartphone can suddenly force you to enter a password instead of biometrics. These are an essential part of what keeps your phone safe from unauthorized access by impostors or methods like spoofing.
Interested in setting up your smartphone to be less distracting? Check out our guide on the best minimalist Android launchers to free your time.