Wile the caching in this case is unexpected changing the behavior would require a patch to polkit as it hard codes the expiration time to 5 mins.
Note that in order for this to be an issue the following must occur:
- device owner sets a new passcode
- if the screen timeout causes a suspend (defaults to 2 mins) a code must be entered in the login screen
- if the owner presses the power button then a code must be entered in the login screen
- if the polkit timeout expires (5 mins) a code must be entered in settings
So the second user would need to get possession of the phone within 2-5 mins after the owner changed the code, and immediately set security to swipe, then set security to a new code. Trying to set a new code directly will also prompt for the old code.
Wile the caching in this case is unexpected changing the behavior would require a patch to polkit as it hard codes the expiration time to 5 mins.
Note that in order for this to be an issue the following must occur:
- device owner sets a new passcode
- if the screen timeout causes a suspend (defaults to 2 mins) a code must be entered in the login screen
- if the owner presses the power button then a code must be entered in the login screen
- if the polkit timeout expires (5 mins) a code must be entered in settings
So the second user would need to get possession of the phone within 2-5 mins after the owner changed the code, and immediately set security to swipe, then set security to a new code. Trying to set a new code directly will also prompt for the old code.