Configuration Issue: Convenience Unlock and Quick Launch with Device Passcode Fallback

With a certain sequence of settings enabled, you can make your database more vulnerable to attack. The Strongbox app attempts to warn you about this, so that you can take a suitable action or at least be aware of the issue.

This occurs if the the following options are enabled:

  1. Face/Touch ID Unlock for App Lock
  2. Face/Touch ID Unlock for your database
  3. Quick Launch (🚀) turned ON (What is Quick Launch?)
  4. Coalesce Biometrics for Quick Launch (Preferences > Advanced Preferences)

This means you only need to do one single Face ID Unlock to automatically unlock the App and immediately unlock your quick launch database. This is what the term "Coalesce" means. To avoid requesting to Face ID authentications in a row, which is very convenient and quick.

However, if you also have 'Allow Device Passcode Fallback for App Lock' turned on, then someone, who knows your device passcode could:

  1. Fail Face ID unlock (they may need to do this twice or three times)
  2. The system will then allow a fallback to using your "Device Passcode" to unlock the Strongbox App
  3. Technically Strongbox cannot tell the difference between Face ID or Device PIN code, it's just not possible. The system simply tells Strongbox that Face ID was completed ok.
  4. Due to the coalesce option with Quick View mentioned above, Strongbox will coalesce this successful Face ID App Unlock and use it to unlock your Quick Launch database.

So you can see that someone can Unlock your database in this way if they know your device passcode. This may not be a concern for you, but you should be aware of it either way. If you do not want this to be possible you can

  • Turn off "Coalesce Biometrics...' in Advanced Preferences
  • Turn off Quick Launch for your database
  • Turn off 'Allow Device Passcode Fallback' in Preferences > App Lock - Be careful, if for some reason your Face ID sensor breaks, you will be locked out of Strongbox and a reinstall is required.
Couldn't an attacker use this same technique to Unlock my database when I have the "Coalesce" option turned off?

An attacker could fail Face/Touch ID and use the Device Passcode to unlock the Strongbox app (if you allow device passcode fallback for App Lock). However, Strongbox (by design) does not allow Device Passcode fallback for "Database Unlocking" because it is so much more sensitive than App Lock. Strongbox will always fall back to requiring the full master credentials for database unlock. So a bad actor could unlock Strongbox app, but they could not unlock your databases. It is only by using the coalesce feature with the quick launch feature that there is the possibility of a database being unlocked via device passcode.