GitLab

Currently we are only validating users with text strings but text input, on small mobile devices especially, is little fun and for that reason some users might choose comfortability, with a short password, over security. There are several possibilities available to tackle this "problem":

1. Offer more user validation possibilities besides using a password, e.g. use the device's fingerprint sensor

if available. This will only work for one account though, if a user has multiple accounts we will need to offer some way for the user to define which account is using his fingerprint.

2. Define access layers with different security restrictions

This is much more tricky and maybe not desirable at all but I feel there is sufficient discussion merit nonetheless. Currently Briar employs a single access restriction on a per account basis, i.e. you either have access to everything (for the respective account) or nothing depending on your knowledge of the password.

Another approach would be to have multiple access levels, e.g. you enter the app with a four digit pin that gives you access to the app but in order to communicate with extra-secure users (this could be marked when contacts are added) you must first confirm your password on a session basis. Here we would need to make sure that the security restriction on the communication between contacts A and B would be identical, i.e. both parties would be required to confirm the passwords in order to communicate.