Even in phone the password will not be the only thing to protect the phone. It could be PIN, your face, voice, finger print, retina, gesture, or NFC and so on. What I can guarantee is that it'll not the Unix login password. User login will not be performed by shell login. Password recovery will be similar to the IVI does. It can be email authentication which currently android does, go to A/S shop and reset pwd, some special interface by OEM, and so on. Also it'll not be the Unix style password reset. Now I think we need to consider login manager which I didn't thought yet.
BTW, Galaxy device's device encryption cannot be recovered when user forgets his password because the key is derived by user password and there is no key backup. Bumjin. -- May the Force be with you ---------------------------------------------------- * BumJin Im * Senior Engineer, Mobile S/W Platform lab, S/W Platform Team Samsung Electronics --------------------------------------------------------------------------------- ------- Original Message ------- Sender : Jussi Laako<[email protected]> Date : 2014-03-20 00:51 (GMT+09:00) Title : Re: [Dev] [Multiuser] Security Policy Proposal for Multi-User Environment On 19.3.2014 16:20, Carsten Haitzler (The Rasterman) wrote: > sure. but in the case of ivi, it'll neever protect your car. its for > infotainment. at least thats ostensibly the purpose. if ivi is meant to > totally > take over all functions of a car... including door locks etc... it's going to > be a big problem. IVI should be protected by the same key system as the car itself, but in addition it can use other means such as NFC (we implemented a demo version of this for TLM). I don't want to enter any passwords when I enter the car, currently IVI is unlocked by my key fob and recognizes me. And that's how car already recognizes driver's setting preferences, driver seat configuration, etc. For passengers, NFC/BT is good way to authenticate. 10 pieces of 4 kB NFC stickers cost 30€. You can save one in bank's vault for recovery. > the problem is - with phones, no one expects to have to pay 200eur to unlock > it. same for a pc. also a phone is a $500 or $1000 purchase. a care is > $20,000-$100,000 or more purchase. and phones are not parked along on the side > of a street for hours, days or weeks at a time... etc. :) I think my phones are pretty much bricked if I forget the device lock code. Maybe it is possible to reflash the device at service. Even my Samsung Galaxy Tab 10.1 has full storage encryption and long device lock password and I don't know how it could be recovered if lost (I don't use any NSA...ehm.."cloud recovery" services). > you can't apply the same assumptions on security to both ivi/cars and > phones/tablets/pc's or even tv's etc. (tv's might be much more likely to be > publicly unattended though). At best what you should get in case of "recovery" is completely DoD grade wiped device. If my device gets lost, I want to get a remote kill switch for it so that it can never be used by anybody again. Isn't this becoming mandatory in California? My data is much more valuable than the hardware it resides on. _______________________________________________ Dev mailing list [email protected] https://lists.tizen.org/listinfo/dev _______________________________________________ Dev mailing list [email protected] https://lists.tizen.org/listinfo/dev
