I have a biometric USB fingerprint sensor for android devices.
I want to develop an application that reads a user's fingerprint via sensor and store it into an SQLite database so that it can be verified when the user login.
So, Are there any tutorials or code samples that explain how to do that?
Thanks In Advance.
Reading users biometric materials and storing them in an SQLite database seems a suspect usage of biometrics on Android. Normally quite a bit of security measures go into collecting a user's biometrics material on Android. On approved Android devices, no third party app can read a user's biometric material. The way it works is the third party app gets confirmation from the Framework that indeed the user registered on the device is the same user who just now authenticated.
It normally goes like this:
User registered their biometric materials with the device usually through the device Settings -- this is securely handled by the device implementation/OEM.
Some time later, a third party app wants a user to authenticate using biometrics.
The app relays the user's wish to the Framework.
The framework handles the authentication. The user, in the case of fingerprint biometrics, taps their fingerprint on the sensor and the sensor checks if the new fingerprint matches a pre-registered template.
The framework tells the third party app yes the fingerprint matches the template that was register with the device -- or no this fingerprint is not recognized. But at no point is the biometric material of a user itself shared with a third party app or allowed to leave the device.
So...yeah, your use case sounds suspect.
You may find more info on recommended implementation here.
Related
I want to enable a user to log in to my app using their biometric information. However, I'm aware that there is multi-user functionality for Android devices, where you can register multiple users on a single device.
I don't want a different user on the same device to be able to log in to my app just because they have a fingerprint registered on the device. So my question is: is a fingerprint (or any biometric info) associated with the device in general and it doesn't matter which user is currently active OR is the biometric information associated with a specific user on the device?
I have checked the documentation, but I can't find anything that is clear on this point.
Biometric information is tied to the current user and so will not be recognized on another user session. You can test this on an emulator.
With the Biometric API, you will encrypt a token or credentials using a cipher and a secret key, persist the encrypted data to the shared preferences on private mode, and then be able to decrypt this data by checking the biometric information of the current user.
And because apps on a multi-user device don't share the same shared prefs, each user will have access to their own token/credentials and will be able to log in their own account but not the account of another user.
currently i am looking to see if i can use in android the fingerprint scanner to find user's.
for example using android firebase to authenticate users, then by using the fingerprint to search for the specific users that will show their information.
is there a way to do this? because last time i checked , the information is stored locally on the android device , thus i am a bit lacking into if its possible to do so or not.
currently looking for a way to do authentication using biometric's inside my app using firebase so that i can only have a single user without multiple accounts , using biometrics to lock the user into 1 account , to check either if the user already has an account using biometrics , and then searching results using bio metrics.
If I understand you correctly you want to sign the user into Firebase using their Android Biometric Prompt.
I've quickly looked at the API for Biometric Prompt, and it seems an authentication user is identified by an AuthenticationResult which in turn contains a CryptoObject. That last object contains the cipher, signature and mac for the sign-in, which you can use to verify that it was performed by a trusted source.
You could send all this information over to a trusted environment (such as your development machine, a server you control, or Cloud Functions), verify it there, and then use that to mint a custom token for the user.
The main problem (aside from the fact there is likely no sample code) I see is that there is no information about the user that is available after the Biometric Prompt. So you know they are the real user of that phone, but nothing else about them. This is not uncommon in Firebase, as it is similar to the lack of information that the built-in anonymous authentication provider has, but you'll have to see if it's enough for your use-case.
In addition to the links I embedded above, also see:
5 steps to implement Biometric authentication in Android
I am trying to find an answer to the question of, if I have a database of fingerprints or fingerprint hashes, can I use the iOs or Android fingerprint scanners to compare the fingerprint being offered and my database and not against the local fingerprint copy? In practical application I want to enroll people into a program that uses fingerprints to secure the account and i want the exact same fingerprint to allow access to the account on the handheld device.
Thanks
In iOS, you can't. Touch ID scanner uses on system level, you only have access to checking of validation. You can authenticate user with LocalAutentification framework. You can check example from Apple documentation.
I cannot speak to the Android answer of this, but with iOS; No, that is not possible.
Apple restricts the use of Touch ID to it's own internal database per device as a security precaution. You are not able to retrieve, store, or view any fingerprint data from a user. If you want to use Touch ID in your app, you must implement the relevant LocalAuthentication framework from iOS and it will do the work for you. Returning only a grant or deny.
Is it doable to collect user fingerprint with android? Our backend system has a fingerprint database. We'd like to match the fingerprints collected against database to see if there is a match.
If by "collect user fingerprint" you mean getting an image of the fingerprint in some form, then no, you can't.
Android's fingerprint API essentially works like this:
The user enrolls a fingerprint in the Android Settings app.
Your app creates a cryptographic key that it associates with the user, and a CryptoObject based on that key, and starts a fingerprint authentication.
If the fingerprint read by the sensor matches any of the enrolled fingerprints, the authentication is successful and the CryptoObject can be used to perform a cryptographic operation (such as encrypting/decrypting some data).
At no point is the actual fingerprint available to your app, to any other app, or even to the OS.
From Google's fingerprint implementation guidelines to manufacturers:
Raw fingerprint data or derivatives (e.g. templates) must never be accessible from outside the sensor driver or Trusted Execution Environment (TEE).
actually my question is about the possibility to collect multiple
users' fingerprints. i have a database which stores all users'
fingerprints. now i would like to have an app. user can use his
fingerprint to log into my app. is it possible?
Regarding using build-in fingerprint scanner on Android device, I don't think any kind of "collecting" data connected with previously scanned fingerprints is possible. Environment which Android system is using to store and match scanned fingerprints is pretty well sealed (it's called TEE - Trusted Execution Environment) and, according to Android Central article (https://www.androidcentral.com/how-does-android-save-your-fingerprints) there are some basic rules that every company making Android phones with a fingerprint sensor have to follow, among them:
Fingerprint data of any kind must not be backed up to any other
source, including the cloud or your computer or any application
Fingerprint authentication must be used by the process that requested
it (no sharing of any fingerprint data, even just the yes or no
answer to see if it was correct)
So, you can have app, which will have the fingerprint authentication feature, but it will be just "authenticated" or "not authenticated" response, based on fingerprints already enrolled on this device in Settings, without possibility to connect each user with each fingerprint.
I haven't tried this yet, but recent Android OS (Marshmallow) has ability to do that.
"To authenticate users via fingerprint scan, get an instance of the
new FingerprintManager class and call the authenticate() method. Your
app must be running on a compatible device with a fingerprint sensor.
You must implement the user interface for the fingerprint
authentication flow on your app, and use the standard Android
fingerprint icon in your UI. The Android fingerprint icon
(c_fp_40px.png) is included in the Fingerprint Dialog sample. If you
are developing multiple apps that use fingerprint authentication, note
that each app must authenticate the user’s fingerprint independently.
"
https://developer.android.com/about/versions/marshmallow/android-6.0.html
Two restrictions:
Android 6.0 and higher
Fingerprint sensor inside device
Up to date market share of Android 6.0 you can find here:
https://developer.android.com/about/dashboards/index.html
It is possible to do so with an External Fingerprint Scanner.
By External Fingerprint Scanner I am referring to a Fingerprint Scanner that you can use besides the default Fingerprint Scanner that ships with your Android device.
As for an External Fingerprint Scanner, a USB based Fingerprint Scanner would suffice for your use case.
To capture Fingerprint Images which you can send to your Backend System Database from where you can Save them and Compare them with other Fingerprint Images captured by e.g. a Computer, your onboard Fingerprint Scanner would not suffice for such a use case as is mentioned by #Michael's answer. This is where an External Fingerprint Scanner would be your best bet.
To introduce an External Fingerprint Scanner to work with your Android device, you would need to get an OTG cable to interface the USB Fingerprint Scanner to your Android device.
Thereafter, you would have to get the Fingerprint Scanner's Android Biometric API to code an Android Application that can make calls like Fingerprint Capture, Fingerprint Enroll and Fingerprint Authenticate to the Fingerprint Scanner so that you can be able to capture the Fingerprint Images for Biometric Enrollment and Biometric Authentication.
It would be essential to make sure that the relaying of Biometric Fingerprint data over a network to the System Database for Storage or Authentication is happening over a secure dedicated VPN connection after it has first been encrypted before being send over the network that links up the Android device and your Backend System.
Important: Not all Fingerprint Scanners come with Android Biometric APIs that can help you implement Android Biometric Fingerprint Capture or Android Biometric Fingerprint Enrollment. You will need to check that first before you settle on a unit Fingerprint Scanner for your Android Biometric Integration project.
I'm trying to find a way to support the following scenario with fingerprint scan authentication. I work on an app that is used in an enterprise setting, where a single Android device is likely to be shared by many users. The current fingerprint scan APIs seem to follow a model where a user registers their fingerprint with the device, and then the fingerprint scan library basically just verifies that the fingerprint being scanned matches some known fingerprint stored locally in the device. This model is incompatible with my use case, since each of my users may pick up a different Android device each time they need to use the app. And each device may be used by multiple users.
Are there any ideas for overcoming this problem? I'm thinking along the lines of getting some kind of hash or other unique identifier from the fingerprint scanner, which I could then store in my central database, and each user authentication attempt can be authenticated against this central server. But sadly, it looks like neither Google's api nor vendor specific sdks allow this behavior.
Suggestions/insight would be appreciated.
If a device has a fingerprint sensor, a user can enroll one or more fingerprints and then use their fingerprints to unlock the device and perform other tasks.
Android uses the Fingerprint Hardware Abstraction Layer (HAL) to connect to a vendor-specific library and fingerprint hardware, e.g. a fingerprint sensor.