It's crazy to me that the phone hasn't locked automatically. Do people really walk around with their phones set to never lock and turn the screen off? Mine times out after 5 minutes.
I disable auto-lock. The primary reason for this is that I’m extremely intentional about using my phone. If I have some content open, I don’t want the screen turning off.
This is an atypical choice, but I always lock when I’m done and don’t encounter any issues from this choice.
> I also almost never use apps like dedicated banking apps or social media apps; instead, using Safari.
Nearly every bank I know of recommends using apps over their website, since in general they're safer than using their websites. But I'm in The Netherlands and I don't know whether banking apps in different countries have the same security standards.
That is probably true because phones are less susceptible to keyloggers or evil browser extensions, but "security standards" have approximately nothing to do with it beyond "using HTTPS".
The security model for US banks is that it's illegal to do crimes to people's bank accounts. It doesn't involve "super secure apps", bank account numbers and credit card numbers are super insecure and there is little reason you should care about this insofar as you're not liable for leaking them.
The difference is that with an app, the server can ensure it's running on a safe non-compromised/jailbroken device using remote attestation (Play Integrity, App Attest).
With a web browser, there's no way of doing that by design as the user has full control over their user agent, so you need to trust the end user is following good security practices and hasn't allowed their user agent to become compromised.
However, in the EU, banks are legally liable for financial loss caused by unauthorised transfers, so they are increasingly not willing to trust that the user hasn't just loaded their browser up with malicious extensions and malware.
This might be true for credit cards but for the vast majority of people, even completely irrespective of income, getting your checking account number leaked to a nefarious party can absolutely cause you a hell of a lot of trouble.
Credit cards will give you the benefit of the doubt with a credit while they investigate. Banks (and credit unions) are going to be VERY hesitant to give you a 5-figure advance into a new checking out while they investigate how your account got drained when it initially looks like you did it. Even the most pro-customer policies practicable won't help when now all your automatic payments start failing. It's certainly a recipe for ruining your week and you'll likely spend the next month or two dealing with the fallout, and that's assuming you don't face crippling financial penalties because of it, which the majority of Americans would.
Where I live having the app for 2FA is mandatory for online banking unless you can convince them to give you a hardware TAN generator. So transferring money is actually much less convenient in the browser because everything I do has to be confirmed with my pin in the app, so I might as well just do it in the app directly and only login on one device instead of two.
Of course this is actually "phone factor authentication" and not two-factor authentication, but I kinda need a bank account.
Ugh. Sorry to hear that. I use 1Password for TFA, and I haven't had to use an app.
When I first run an app, and it asks for access to camera, microphone, photos, calendar, contacts, and location, I tend to immediately plonk it; regardless of its purpose.
I have a PMB, and the store has an app that uses the phone to unlock the door, after hours.
There is a keypad, but that hasn't actually worked, in months, and the store has ignored my reports.
I just go there, during business hours, even though it's inconvenient.
I just recently started a job that uses 1Password, which I've used personally for years, but they also recommend the 2FA built into 1Password. It's incredibly convenient, and I "know" it's as secure or more secure than using my phone, but man I just haven't been able to get over that mental hurdle of putting all my auth eggs in that 1Password basket.
With a touch login on the phone and (say) google authenticator IMHO it's considerably less inconvenient to login into something online with the desktop than what Chase does to me. The phone is sitting right there anyway, and 6 digits to type in by hand is not that big a deal. I do it all the time.
I mean the bank's phone app. It is locked to one specific device and is the only possible method of authentication. I either need to use the app itself, or confirm every login and transaction in the app when using a browser.
> I solve that, by not doing banking with my phone.
Even though some scum corps like Chase make it a PITA to manage my account from a desktop through firefox, that's the only way I'm going to interact with them.
"Download the app!"
Hard no!
In fact these are the only apps I think that appear regularly on my phone, but only when I'm traveling: AirBnB, Uber/Lyft, and whatever airline I'm currently flying on next. I think if I'm crossing borders I've installed whatever gov spyware makes TSA/Global Entry easier. They're already groping me hard, why not.
LA Fitness gets to stay because it's dumb and silent. I don't see anything else not security related. On mobile I talk to the outside world with K-9, firefox, signal, whatsapp, sms. I'm happy.
> I then exit my current FF, and switch to it, and back again.
FWIW, you can also run multiple profiles simultaneously. They are independent processes, sharing no resources or permissions.
This is my model for difficult sites. If I'm really concerned, I use FF network config to allow access only to the domains I think are proper.
Although in the case of banking, I prefer to use the official mobile apps. Some are actually pretty good. Others are awful. But I trust the iOS app sandbox and I trust my banks.
I also block traffic at the network level, so if the bank app attempted something egregious (e.g. tracking via the basket of Internet deplorables), it would fail.
The idea of our lives being in/on our phones, is an animating plot mechanism in Accelerando( by Charles Stross: a tech executive loses their <device> and is unable to function, most memory and executive functions having been delegated to it; and a kid who finds it, becomes correspondingly empowered.
If someone grabs your phone, welcome to issues. Or you drop your phone when distracted by something. Both unlikely, yes but not impossible. Similar to wearing a seat belt.
I found someone’s Apple Watch that had no password. I could have done a ton of nefarious things if I’d been inclined. Had a different person picked it up, they might have had all their accounts hijacked.
Lineage OS has this cool feature called "Caffeine" which is a quick settings button. When tapped, it temporarily increases the lock screen timeout. Pressing it again increases it more. Long pressing it will make it infinite. It will reset once the user manually locks.
I find it quite useful in cases like reading
Hmm, I live alone and I don’t leave my phone unattended. I think it’s important to consider your risk profile before changing any security settings. With kids, I would probably adjust my threat model to prevent accidental changes to things, etc.
Precisely. I’ll choose when to lock the screen - what if I’m using it to read a recipe, or looking up documentation, or I have a map on screen? Etc etc.
It seems like you should still have an auto lock to 30 minutes? Events way less drastic than an airplane door blowing off can cause you to not be able to lock your phone, like someone just snatching it out of your hand on the subway (where in theory they could keep it awake indefinitely with a 30 minute timeout but they very probably won't)
The maximum on iOS is only 5 minutes, and I regularly leave my phone untouched for longer periods than that while cooking.
I hear your point, but everything really important on my phone is behind another wall of passwords/pin protection, and I am meticulous about backups. The physical device doesn’t matter much. I’ll put it on stolen mode remotely, force an email sign out, and just assume it’s dead because they won’t be able to turn off Find My.
I also work from home, so I’m more suited to having it in this mode of operation.
I've had phones for close to a decade now (Moto X 2014) that can detect when I'm looking at the device and extend the timeout. So if I glance at the device every few minutes checking on the recipe or a map or whatever it'll keep the screen on indefinitely.
iOS has “Attention Aware” features but these features don’t account for atypical use cases like when I’m running some persistent app that needs foreground use (like a firmware update on an IoT device) that I can’t be bothered to stare at.
I'm in the same boat. I disable auto-lock. However, it would be nice to have a setting for 30 minutes or an hour, but thankfully my battery will die before that's needed.
Quick data point that Samsung Android phones (at least the ones I've used for the last many years) unlock with fingerprint on the side which is as close to a zero-effort unlock as you can get.
I have Face ID enabled etc, but it doesn’t change the fact that it’s annoying. If I’m alone at home with the door locked, there is an infinitesimally small chance of any security issue that would render my device compromised. So realistically, I’m accounting for my own sanity + convenience here.
Possibly, given people are (to some level of course) basically fine, having someone walk off with your phone unlocked could have pretty annoying consequences at a time when you'd really rather not deal with them
> That said, from now on I'll probably have auto-lock turned on when flying.
I think you are far far more likely to have a random cardiac arrest or stroke while you are looking at your phone than have it ripped out of your hands in an airplane. The former has happened to several otherwise healthy people I know and the plane thing happened to a few people ever.
Also do you turn it on while you are a passenger in a car or bus?
As a rule, if the security feature creates even the slightest bit of inconvenience when using the device, you can bet your bippy that about half the user population will turn said feature off.
I always put my seatbelt (feel naked without it), but I deactivated the ringing in my car, otherwise it's annoying if you have a bag on the passenger seat.
Or maybe a speed limiter. You can’t go over 25mph until the seatbelt is fastened. That would let people move a car in the driveway or something minor, but force them to buckle to get on most roads.
Unfortunately, not wearing a seat belt isn't a risk borne just by the one in the seat. There have been cases of people flying out of their window and battering someone with their body due to not wearing a seat belt. Of course, everything carries a risk of harm to someone else, its a matter of where to draw the line.
We already legally force it in almost every state on public roads because it's not about you, it's about everybody else minding their own business getting killed by your choices.
Doesn't take much FOD on the highway for your unbuckled body to slam into something and now you have a driverless vehicle. Also every else in your car should be bucked too so you're not bumping noggins.
Are you a teenager, because this line thinking crosses into the territory of "I don't need a seatbelt, I'd just use my arms to stop my ass from getting flung out of the window, while having zero clue how physics works.
Do you think of the 6 million police reported auto crashes in 2022 (in the US if you're not from here) that most if not all the people involved would have rather not been in an accident in the first place?
The fact that it was pulled out of the plane (and didn't stay snug in its owners pocket) suggests it was being used at the time, and thus unlocked. And yeah, I tend to set my phone to never lock at times, probably not while traveling I guess, but it absolutely happens.
Some of us intentionally disable autolock - I know I have it off because I can’t stand the screen automatically turning off on me when I’m using it for reference material.
Can't you set it to only auto-lock when not on your person, near you or at place X, Y or Z? Seems there are so many options for targets to keep it unlocked (smartwatch, a place, movement, WiFi, ...) that disabling it seems unnecessary?
Phone locks are mostly a protection against accidental loss (self inflicted or stolen).
But sometimes that's not worth the hassle. E.g. I disabled locks while my car was running.
The tradeoff is IMHO well worth it as I immediately take the phone from the car should I leave. So the overall risk is minimal. Yet should it ever distract me then that's a big issue.
And not being reachable was also not an option given family circumstances at that time.
It's just a risk vs. benefit tradeoff. And that's a very personal judgment call.
> Do people really walk around with their phones set to never lock and turn the screen off?
I set mine to lock and auto-turn off after a short moment.
Nonetheless, I have found that the phone will sometimes get in a state or screen which prevents autolocking. It does this usually at the same state or screen but it's easy to trigger accidentally without noticing.
...just pull down the top bar. That might happen if you're holding your phone and it gets sucked out of your fingers. Or stolen right out of your hand.
My auto-lock is set to 30 seconds, and I still manually lock it any time I put it down instead of waiting. I often see people put their phone down or in their pocket with the screen still on, and it just sits there for several minutes. It’s a pet peeve of mine. I have to assume these are the same people who complain about battery life all the time.
I agree. I see a lot of comments about “being intentional about using the phone” but in those cases the phone doesn’t lock anyway… using maps or watching something prevents auto lock. It just makes no sense at all to disable it.
It’s not true if you’re looking at sheet music in Safari while playing an instrument for example, or looking at engine assembly diagram while working on an engine with greasy hands.
That's true of video playback, it's not true for other apps I want to keep open without the phone auto-locking. People making those comments aren't like lying or delusional, they're just using different apps.
