Is there an API or other method for determining if a credential exists on the device that doesn't require taking my fingerprint first in Android?
Currently, I can call getSignPendingIntent(PublicKeyCredentialRequestOptions) with a particular credential id and then I'll be prompted to use my fingerprint. After giving my fingerprint, I'll either get an error response returned if the credential does not exist on the device or get a success response if it does exist.
Is there another method to determine if a credential exists on the device?
One reason for needing to know this is if a customer has registered a credential on device A, but then visits the website on device B. If they are on device B, I don't want to prompt them for a fingerprint to know if they can use their WebAuthN credential. I want to check if the credential exists first and otherwise fall back to the standard authentication method.
There is no way to be 100% sure. Best possible solution as of today is storing the credential id in local storage (or a cookie) where it was created. That way, you can check if you should offer fingerprint login (aka. Platform Authenticator) option on that device, i.e., in that browser.
There's been some attempts in FIDO Alliance and W3C WebAuthn WG to change this, but so far it has not been done mainly due to privacy reasons.
Related
i have Searched All over Internet about how to add new Fingerprint using our own app, but i am unable to find anything, i have also searched on stackoverflow about this and i found some Same Questions to but no one has answered about this correctly, So i have decided to ask this question one more time.
I have successfully Completed the Authentication through Fingerprint
but know i want to add multiple fingerprints to my app
I am making an app where new users Registered first they enter there name,address,emailID,Age and Fingerprint. all the data stored in MYSQLI
after that when the new user Successfully registered, when the same person tries to login, the first thing he should do is to scan his finger when the scan successfully all the Details which he mentioned while Registration will shows up
i mean his Name,addess,EmailID,Age
So, This is what i want it is similar to Bio-metric fingerprint reader but i want to do this with Mobile fingerprint scanner can anyone help me??
I have done this
Fingerprint but no success Help me out thank you
Adding a fingerprint under the direction of the app with a mobile device built-in fingerprint reader/framework is NOT POSSIBLE:
From Android Source Site:Security:Authentication:Enrollment:
On first boot of the device after a factory reset, all authenticators are prepared to receive credential enrollments from the user. A user must initially enroll a PIN/pattern/password with Gatekeeper. This initial enrollment creates a randomly generated, 64-bit User SID (user secure identifier) that serves as an identifier for the user and as a binding token for the user's cryptographic material. This User SID is cryptographically bound to the user's password; successful authentications to Gatekeeper result in AuthTokens that contain the User SID for that password.
The key part is:
A user must initially enroll a PIN/pattern/password with Gatekeeper.
That means that the owner/user must enroll a PIN which will be eventually associated with the Fingerprint.
A user who wants to change a credential must present an existing credential. If an existing credential is verified successfully, the User SID associated with the existing credential is transferred to the new credential, enabling the user to keep accessing keys after changing a credential. If a user does not present an existing credential, the new credential is enrolled with a fully random User SID. The user can access the device, but keys created under the old User SID are permanently lost. This is known as an untrusted enroll.
As you continue reading you read:
If a user does not present an existing credential, the new credential is enrolled with a fully random User SID. The user can access the device, but keys created under the old User SID are permanently lost. This is known as an untrusted enroll.
And perhaps you hope that your app can invoke an untrusted enroll
BUT
Under normal circumstances, the Android framework does not allow an untrusted enroll, so most users won't ever see this functionality. However, forcible password resets, either by a device administrator or an attacker, may cause this to occur.
So apps are only allowed to know if a user has Authenticated a preregistered Fingerprint via FingerprintManager or BiometricPrompt
What can I do
You'll have to look into external fingerprint readers to achieve what you want.
Possibly a Custom ROM would be another path to investigate, but would require a number of changes as the expectation is that each Fingerprint be cryptographically associated with PIN as well (see first quoted paragraph above).
I'm implementing fingerprint authentication in an existing Android application making use of FingerprintManagerCompat. I used a tutorial as guidance that can be found here.
(android.support.v4.content.ContextCompat)
As FingerprintManagerCompat makes use of saved fingerprints on the mobile device, any fingerprint on the device can be used to login to the application.
Is it possible to see which one of the fingerprints on the device were used to unlock and if so is there a method to get all saved fingerprints that are available on the device?
I looked around for information on if this is possible and I cant seem to find anything. I have found that Samsung Pass SDK does have functionality to see what fingerprint is used but the product owner does not want the me to use Samsung's Pass SDK as his penetration testing team found that it is not very secure.
Is there a method to get all saved fingerprints that are available on the device?
No.
Is it possible to see which one of the fingerprints on the device were used to unlock
No.
However, there are some limitations to which fingerprints can be used to authenticate within your app. The result of a fingerprint authentication is that you make a cryptographic key available to perform some cryptographic operation (e.g. creating a digital signature). So when you add a user in your app you'd typically create a cryptographic key that you associate with that user. Then later on when the user wants to perform some action that requires him/her to be authenticated, you do the fingerprint authentication, which gives you access to the key, which use can use to do whatever it is that you need to do to verify that the user should be allowed to perform the action.
What happens when a new fingerprint is enrolled is that any existing cryptographic keys that require fingerprint authentication will be permanently invalidated.
That leaves us with the scenario where there are multiple enrolled fingerprint before the user is added in your app. I'm not aware of any way to do anything about this with the current APIs. So the best you can do might be to add some step in your fingerprint-enabling UI flow where the user is asked to verify that only they have enrolled a fingerprint on the device (e.g. by checking a checkbox or clicking a button).
I am implementing Google's Smart Lock for Passwords on Android service on an Android app and while the provided API gives you the ability to retrieve saved credentials, save new credentials, save multiple credentials and delete specific credentials, it effectively provides no way to CLEAR all the saved credentials for a particular app. Not only is there no direct API to clear all the credentials, but there is no programmatic way to list all of the credentials in order to delete them one-by-one.
While the user can log directly in their google account in order to delete the saved passwords directly, this does not fit into any reasonable user interaction flow. The only other idea I can think of is to prompt the user with the list of credentials, have the user 'choose' one at a time and then delete the chosen credential, which also seems like a very unwieldy and confusing flow for users to follow.
I have tried the 'obvious' solution of passing a null credential to the .delete() API or creating a credential with a null identifier.
Is there any known method of doing this that does not result in a really terrible UI experience of the user?
There is no way via the API to delete all credentials programmatically, since this is not a typical user action (and it is a bit dangerous to delete all the user's data, would probably need a confirm UI or undo, etc.)
But as noted in the question comments, it could come up in testing, so easiest recommendation is to clear out all saved credentials at https://passwords.google.com or chrome://settings/passwords (but it takes a minute or two for the changes to sync to the device).
If you have more feedback on a user interaction that would require this functionality in the API, please leave a comment!
I have a private app which works totally offline (i.e. no server data sent/recieved), however I have a need to restrict it only to users with a valid Google account on their phone. I can get make sure there is a suitable account on the phone by iterating a list of phone accounts, but is it possible to check the account is valid/authenticated without me having to introduce the full OAuth process? I have no need to get a cookie or send any data to a server.
Ideally I'd like to do something like:
1. Check with the account manager for an auth token.
2. If token recieved then allow access to the app.
Currently without any checks via the account manager, anyone could create a fake account on the phone and then gain access even if they put in a email/password and they would never be authorised.
I hope I've explained this clearly. As my app has no network connectivity so I would like to avoid adding any of my own network/oauth checking.
What about this:
AccountManager manager = AccountManager.get(this);
Account[] accounts = manager.getAccountsByType("com.google");
final boolean connected = accounts != null && accounts.length > 0;
The connected boolean will indicate if there is a connected Google account in the phone.
Indeed there won't be any check on the token, but if the account is registered on the phone, then Google checked it before, server-side, to validate it...
How about implementing Google Plus login API? It's not really setting up a full OAuth process since G+ it's fairly simpler, even if it is actually built on top of OAuth.
I use that in an app I'm developing that also does not require online access (except for initial G+ login access).
What I do is the first time the app is run I present the G+ login button. After user clicks on it he can accept the permissions request from my app (to be able to retrieve user email and some basic profile info, i.e. minimum permission needed) and if the API client connects correctly then I present the user with the dashboard or home screen and also set up a flag in SharedPreferences about the user being already authorized.
In this way, the next time the user starts the app it will remember it was already authorized and just ask the API client to connect (only if the access was revoked from the account's Play Store website do we need to re-verify that the user auth is still valid), and everything should work. If the user revokes the access to his G+ profile from my app, I clear the flag so the next time the user runs it it asks for authorization again.
It's actually very simple and at least for my use case (Which sounds very similar to yours) it works for what I want it with minimum user intrusion.
I strongly suggest you try out something like this Google Plus login tutorial
Edit: You can also check this question I asked before, about working with multiple activities that need Google Plus functionality
Also, forgot to say that with this method you are always sure that the user account is always valid since you are checking directly with Google's servers about its validity.
When using the new Google Play Services to authenticate an account, you first use the AccountPicker to allow the user to select an account. If the user has not authenticated with your application before, a UserRecoverableAuthException will be thrown which gives you an intent to show the 'Allow Access' page. You only need to allow access one time. However, for testing purposes, I need to be see the Allow Access page every time.
So, does any know how you can clear the permissions for Google Play Services? Or some other method that will show the allow access page every time?
In your Google Account Settings, there's a way to set up application-specific passwords. Sign up for 2-step verification and then you can create them. To temporarily revoke the permission, you can remove or change the password: http://support.google.com/accounts/bin/answer.py?hl=en&answer=1070455
Otherwise, change the password to your entire Google account temporarily.
Unfortunately I don't think there's an easy programmatic way to do this. It seems like quite a serious security flaw that a user/administrator can't revoke Google Account access to an installed app. From what I can tell, Google is fetching the authentication information from a server, and if something in that operation fails, it throws the UserRecoverableAuthException. That's when you normally fire off the Intent from UserException.getIntent(), which contacts the server with a request such as:
scope:oauth2:https://www.googleapis.com/auth/drive.readonly[
account:<your_account>#gmail.com,
scope:oauth2:https://www.googleapis.com/auth/drive.readonly,
extrashash:<some_number>]
Now there's no documentation I've found for instructing the server to revoke that Auth Scope requested above. It might not even be possible. However, you could try to capture the values in the Intent returned by UserException.getIntent() and use it to create a new Intent you launch whenever the user wishes to sign in with their Google account. However, the server might realize the app is already authenticated, and then send you through without the prompt.