Android Keystore key invalidated after device unlock on Pixel 4

[5HT2]

Info

• Version: 2.0.2
• Source: Google Play
• Vault encrypted: Yes, with password and biometric unlock
• Device: Pixel 4
• Android version and ROM: Android 11 stock

Steps to reproduce

• Unlock phone
• Open Aegis with biometric (face) unlock

What do you expect to happen?

I do not get asked for my Aegis password

What happens instead?

Aegis "detects a change in biometric security" and asks for my password again.

The Google Pixel 4 (and probably newer Pixels) will "improve" the face matching with each successful device unlock, and so Aegis detects that the biometric security "changed", even though it's still the same face that is saved.

Ideally, being able to detect whether face unlock has been removed entirely and re-added would be a better alternative, but I don't think that's possible through whatever API Android exposes.

As a second proposal, an option to turn off this detection (with a warning of what it means, of course), would be nice to have, as I store my Aegis password on an air-gapped computer and it is inconvenient to not be able to access my 2fa tokens when not at home.

[alexbakker]

Aegis "detects a change in biometric security" and asks for my password again.

This description is meant to make things more understandable for regular users, but in reality Aegis doesn't do the detection itself. Instead, the system simply wipes Aegis' Android Keystore key whenever the user makes certain changes to their security settings (for example: adding a fingerprint or disabling the secure lock screen). Once that key is wiped, the only way to decrypt your vault is with the password, so Aegis has no other option but to ask for that.

It would be surprising if the automatic improvement of facial unlock would result in Android continuously wiping all Android Keystore keys that require user authentication. We've had multiple users report that facial unlock works fine for Aegis on their Pixel 4, so I'm wondering what's going on in your case.

Are you sure Aegis is showing that message after every single device unlock? To test, could you perform the following steps a couple of times?

1. Disable and then re-enable biometrics in Aegis
2. Lock and unlock your device
3. Open Aegis. Are you forced to enter your password again?

[5HT2]

Are you sure Aegis is showing that message after every single device unlock? To test, could you perform the following steps a couple of times?

I have tried this, and it doesn't happen every single time, but it does happen frequently. It's closer to a 1/3 chance.

This morning, when I wrote the issue, it happened 3 times in a row, so I am guessing the face match "improvement" could rely on certain light conditions or angles, I'm unsure.

Once that key is wiped, the only way to decrypt your vault is with the password, so Aegis has no other option but to ask for that.

I wasn't aware it worked that way, I suppose that complicates things.

[abda11ah]

It would be nice if the Aegis application could be protected by a security scheme (just like the Binance application does). So anybody could leave the phone unlocked for quick use while securing only sensitive apps like Binance or Aegis. In case of a lost or stolen phone the security is not compromised. (I preferred not to assign a password to my phone or the Aegis file to make sure I don't forget it)

[alexbakker]

This morning, when I wrote the issue, it happened 3 times in a row, so I am guessing the face match "improvement" could rely on certain light conditions or angles, I'm unsure.

Are we sure this happens because of the face matching improvement? What if it's caused by a hardware defect? You're the first person to report this issue.

I wasn't aware it worked that way, I suppose that complicates things.

It does. I don't think there are any acceptable ways to work around this. Either way, I want to see more reports of this happening before looking into this further.

[5HT2]

Are we sure this happens because of the face matching improvement? What if it's caused by a hardware defect? You're the first person to report this issue.

I suppose it's entirely possible that some sort of hardware defect causes it to regenerate the keystore after an unlock instead of properly updating the face data.

Is there anything I can provide to help debug this?

[keturn]

I have a Pixel 5a, on which I use fingerprint biometrics but not face unlock.

I used Aegis fine for some weeks, only to be stopped by the "a change in your device's security settings" message today. I am not entirely sure when the last day I successfully used Aegis was, but I have not changed my Android password or biometrics since then.

Instead, the system simply wipes Aegis' Android Keystore key whenever the user makes certain changes to their security settings (for example: adding a fingerprint or disabling the secure lock screen). Once that key is wiped, the only way to decrypt your vault is with the password,

It what??? So some not-directly-related-to-aegis system setting can change, and that results in losing the decryption key to my vault? Okay, that is the worst, I will be disabling this feature forever kthx.

...as soon as I figure out what password it's locked behind. It sounds like it must have made me set one, right? I just wasn't careful with saving it because I assumed I could unlock the vault as long as I could pass the phone's biometric check.

[alexbakker]

@l1ving

Is there anything I can provide to help debug this?

Thanks for offering, but I'm afraid not. If more reports come in of this happening, this might be an actual new issue and we'll have to think about how to approach this.

@keturn

I am not entirely sure when the last day I successfully used Aegis was, but I have not changed my Android password or biometrics since then.

It what??? So some not-directly-related-to-aegis system setting can change, and that results in losing the decryption key to my vault? Okay, that is the worst, I will be disabling this feature forever kthx.

This could sometimes happen spontaneously on older devices or emulators that had poor Android Keystore implementations (though those usually already failed when first setting up biometrics in Aegis). Pixel devices are not known to have that issue. By design, keys are invalidated if Android security setting changes are made and setUserAuthenticationRequired(true) is configured on the Android Keystore key by an app.

Aegis warns you in bold red letters that forgetting your password means permanently losing access to your vault. It also asks you for your password every now and then, so that you don't forget it (unless you disabled the password reminder, of course).

[alexbakker]

Since we have not received any other reports of this happening in over a year, I'm going to close this for now.

[5HT2]

I haven't been able to reproduce this on the same device that initially had issues, either. Weird edge case moment I guess