What do you think about this option I was thinking about first? PIN + fingerprint without additional password as a back up. Wouldn't it be better to have this option with just those 2 options? If one of them fails you loose access to your phone. What if device is compromised? Isn't it easier to exctract password or PIN than fingerprint? Fingerprint requires physical finger to touch the device.
Discussion
In current option fingerprint can be skipped if you know the passphrase
Fingerprints or values derived from fingerprints cannot be used as a key to decrypt the device because they naturally change all the time and also risk being destroyed from injury. Technically impossible to do and also very difficult to preserve. It needs to be a static credential that doesn't change like a key derived from a passphrase or PIN.
> Isn't it easier to extract password or PIN than fingerprint?
The device doesn't store your PIN or password. It generates a long, secure key derived off of the input and then if it is correct the keys are stored in RAM to allow decrypting data to use it. When the device is in "Before First Unlock" a secure passphrase makes credential-encrypted data extraction impossible because keys aren't in memory.
If the device was in "After First Unlock" then those keys are in RAM and data is accessible regardless of the unlock method used providing there's an exploit to bypass the lock screen. Cellebrite's exploits do this with the original Android OS and some iOS devices and they don't need to know fingerprint, password etc. Their tools don't work on GrapheneOS but we have the automatic reboot feature for this reason as a protective measure.