Warn about biometric unlock

[SteveSWang47]

I've been using Aegis for a year and I forgot my password in the first week. I thought it was a minor problem since I've been using biometric unlock which never failed. However, after adding another fingerprint (of my left thumb), Aegis refused to accept biometric unlock so I lost access to it (luckily I had the recovery codes of my accounts so I didn't lose any of them, and I was able to reinstall Aegis). The problem is, there's no warning that this trigger exists in the app, so anyone who uses biometric unlock might run into similar problems. So I suggest adding a warning that "Biometric unlock might not be accepted in some situations" (or something similar) (currently it only says that "if you forget your password, you will lose access to your tokens" while setting the password, while you can actually unlock the vault with biometric unlock) so that those who use biometric unlock can pay more attention to remembering their passwords.

[edent]

I think this is an Android OS limitation. When I added a new fingerprint to my Android / GrapheneOS phone, all of my apps refused to work with biometric login. I had to go into each of them with a password, then re-enable biometrics.

But, I agree, stronger wording might be helpful. What do you think you would have done differently if you'd seen that warning?

[alexbakker]

We can consider adding an extra warning, but we already have the warning you mentioned: "If you forget your password, you will permanently lose access to your tokens. There is no way to recover them without the password."

In addition, we also semi-forcefully remind you to enter your password every once in a while. If you try to unlock Aegis using biometrics anyway, a dialog appears explaining that you need to remember your password in order to not get locked out of your Aegis vault. (Or did you disable the password reminder entirely?)

If you missed those two, I'm not sure a third warning will help.

[SteveSWang47]

I thought that biometric unlock would always work the same way as the password, so I didn't bother remembering the password, and I lost my password before the password reminder appeared the first time. If I was warned that it might not work, I would have tried to remember the password more carefully, or write it down somewhere safe.

[SteveSWang47]

The "You will lose access" warning only appears while setting the password, and biometric unlock is set after setting the password, which can be misunderstood that the biometric unlock is the same as the password (as long as you can unlock your phone with fingerprint, you can also unlock the vault). There is no warning that biometric unlock might be rejected by the app.