currently i am looking to see if i can use in android the fingerprint scanner to find user's.
for example using android firebase to authenticate users, then by using the fingerprint to search for the specific users that will show their information.
is there a way to do this? because last time i checked , the information is stored locally on the android device , thus i am a bit lacking into if its possible to do so or not.
currently looking for a way to do authentication using biometric's inside my app using firebase so that i can only have a single user without multiple accounts , using biometrics to lock the user into 1 account , to check either if the user already has an account using biometrics , and then searching results using bio metrics.
If I understand you correctly you want to sign the user into Firebase using their Android Biometric Prompt.
I've quickly looked at the API for Biometric Prompt, and it seems an authentication user is identified by an AuthenticationResult which in turn contains a CryptoObject. That last object contains the cipher, signature and mac for the sign-in, which you can use to verify that it was performed by a trusted source.
You could send all this information over to a trusted environment (such as your development machine, a server you control, or Cloud Functions), verify it there, and then use that to mint a custom token for the user.
The main problem (aside from the fact there is likely no sample code) I see is that there is no information about the user that is available after the Biometric Prompt. So you know they are the real user of that phone, but nothing else about them. This is not uncommon in Firebase, as it is similar to the lack of information that the built-in anonymous authentication provider has, but you'll have to see if it's enough for your use-case.
In addition to the links I embedded above, also see:
5 steps to implement Biometric authentication in Android
Related
I need to develop an Android app that has MFA authentication.
To log in, the user needs to first insert his username & password and then, biometric data (fingerprint, face, or iris) to confirm his identity.
I want to use something like Cognito to store the biometrics login but honestly, I can't really understand how I would do this.
Is this doable?
And if so, how?
The simple answer - you can't.
You can't pass biometric data that is being collected by the Android system(or iOs system), outside the phone.
Neither face/iris nor fingerprint can be decoded in some readable format and sent to the third-party service.
This is how the android system works. As far as I know, iOs works the same - you cannot retrieve this data. Moreover, you cannot change this behaviour of the system(only in a very custom Android ROM, I suppose, and it will be quite hard to achieve)
You can use fingerprint/iris/face unlock in your application though - you won't be sending anything to your servers, but you will be able to unlock the UI of your app - this is kinda general usecase as for now.
Well if being completely true - you can send something to the server - you can generate a secret key and encrypt it based on the biometric data and with the biometric auth you can decrypt it and send wherever you want. The secret wont represent an actual biometric info but it is something...(cognito supports custom auth flows - maybe you even be able to utilize this approach somehow)
Long story short - here is an official documentation about the biometric auth and biometric based encryption.
Here is a codelab example.
Here is a general schematics of how it all works.
Here and here is a nice article about the topic.
I wanted to know if when there's an firebase authentification, it's possible to get the source of this authentification?
To know if it's from my iphone app, android app or web app.
Why :
My web app isn't on the web, but on local server. I want to distribute this web app with server (It's for a personnal project but it could have 10 prototypes). So everybody can get my firebase config. And I don't want that someone can create account from the web firebase api because I accept google/apple and email/password auth. I can't disable email/password for my project purpose.
I hope this is clear.
To be more clear, if the email/password auth is created, is it possible to know if it's from android app or iphone app or webapp?
Thanks
The provided APIs for Firebase Auth don't give any indication which platform was used to create the account. Firebase intends for all accounts to work across all platforms using the provided SDKs and APIs accessible for each platform.
If you want to record your own per-user data in a database, you're free to do that. Note that this is not really "secure" in that each user could effectively manipulate your database or APIs to indicate whatever they want about their platform. If you do not have this sort of security in mind, then you can simply trust your own code to write, and late read, the user's platform in a database after they sign up.
To be more clear if the email/password auth is created, is it possible to know if it's from the Android app or iPhone app, or web app?
Yes, it's possible. Let's say we want to know if a user has signed in from Android. When the user creates an account from an Android device, most likely you are storing user data as objects in the database. The simplest solution I can think of is to add another property in your User class, called "platform" and set it to "Android". If the user signs up with an iPhone, then set the property to "iOS". Same thing for the web. Knowing that the user might change the device, every time the user opens the app check that value against the OS the user is using. If the OS is changed, also change the value accordingly. This way you'll always know the OS the user is using. If you allow the users to use multiple platforms, for Android, there is a function called getProviderData():
Returns a List of UserInfo objects that represents the linked identities of the user using different authentication providers that may be linked to their account.
Similar functions can be found for the other platforms as well.
I have a biometric USB fingerprint sensor for android devices.
I want to develop an application that reads a user's fingerprint via sensor and store it into an SQLite database so that it can be verified when the user login.
So, Are there any tutorials or code samples that explain how to do that?
Thanks In Advance.
Reading users biometric materials and storing them in an SQLite database seems a suspect usage of biometrics on Android. Normally quite a bit of security measures go into collecting a user's biometrics material on Android. On approved Android devices, no third party app can read a user's biometric material. The way it works is the third party app gets confirmation from the Framework that indeed the user registered on the device is the same user who just now authenticated.
It normally goes like this:
User registered their biometric materials with the device usually through the device Settings -- this is securely handled by the device implementation/OEM.
Some time later, a third party app wants a user to authenticate using biometrics.
The app relays the user's wish to the Framework.
The framework handles the authentication. The user, in the case of fingerprint biometrics, taps their fingerprint on the sensor and the sensor checks if the new fingerprint matches a pre-registered template.
The framework tells the third party app yes the fingerprint matches the template that was register with the device -- or no this fingerprint is not recognized. But at no point is the biometric material of a user itself shared with a third party app or allowed to leave the device.
So...yeah, your use case sounds suspect.
You may find more info on recommended implementation here.
I'm trying to authenticate users to the backend server using fingerprint.
The scenario that I can think of is when user registers with a new account, I should send some sort of a unique identifier to the server related to the fingerprint..
Later the user can send only that unique id to the server to log in with no passwords or emails or any other credentials..
Is that possible?
If so, how?
It is technically possible since it has been done.
As the user registers with or for a new account, you also enroll one or more fingerprints. To do that, a fingerprint scanner is required. (Note that the fingerprint
image that the Android fingerprint reader captures, cannot be "taken" out of the phone. You need an external fingerprint reader.)
Also needed is some sort of SDK for extracting a template from the fingerprint image. (The template is close to what you might be calling the unique identifier, although it might not really be that unique.) The manufacturer of the fingerprint reader, usually also supplies the SDK. If they do not, you'll need a third-party SDK. One can search online for those.
The extracted template is stored on the server alongside other user data. At login, you extract a template from the same finger, transmit it to the server, and search amongst the previously enrolled templates. For that search (identification), you also need some SDK, or some sort of AFIS. There are commercial as well as free offerings (such as sourceAfis).
A better explanation is given in the Wikipedia article.
I'm writing an android app that is a client of a multi-player game.
I need a reliable way to authenticate users in order to connect users with their game account, store their in-game progress and allow them to re-login later and continue playing just where they left off.
An easy solution would be to implement a password-based login and manage passwords all "by myself" (in my app and game server). However, typing passwords on a mobile device is quite inconvenient. Reading up on the topic, they say the best login is a login without password prompt (and generally as little user interaction as possible).
I would expect that the best way to achieve a solid passwordless login in an android app is a google account based login. Every android device is connected with a google account already, right?
Searching around the web and stackoverflow, I was extremely surprised that I was unable to find good documentation about my problem, which I thought to be a standard problem that many must have faced before me.
Some things that look pomising to me:
Google Sign-In Api
Use Google Smart Lock to sign in with a google account (Is this in any way better than sign-in api?)
Use Google Smart Lock to automatically create my own login/password credentials and use them "behing the scenes"
So, what ist the best way to implement a convenient login without password?
My definition of "best" in that context is:
Most convenient to the user. As little interaction as possible.
Reasonably secure to prevent account highjacking.
Depends on how you need to identify your users. If email address is enough, you are probably looking for OpenID Connect. You will get a signed ID token, if the signature checks out, you can trust the info inside, which includes Gmail address. Google has libraries to make this easy, and Android devices already have a token, so users don't have to enter a password.
More info here:
https://developers.google.com/identity/protocols/oauth2/native-app
Google Games login could be a better fit for you, and Firebase makes it easier to manage user data without running your own servers.
I had a similar problem with my app and found that the best solution is to implement the FIDO protocol which allows users to sign-in using a private key stored securely in their mobile device:
During registration with an online service, the user’s client device creates a new key pair. It retains the private key and registers the public key with the online service. Authentication is done by the client device proving possession of the private key to the service by signing a challenge.
To visualize it, here's an explanation with a graph of how FIDO works.
Why is this the best solution?
It's very convenient because your users don't need to do any interaction to log in as long as your app is accessed from the device that holds the private key. You can authenticate them silently from the app. If the user is accessing the app from a different phone, you can send a push notif and show a prompt in your app to approve the login request.
This method is secure because:
It avoids bad passwords from your users.
The private key never leaves the device. This means you never need to store passwords in your database.
The asymmetric cryptography ensures that only the device that holds the private key can make a valid signature.
How to implement it in Android:
For an Android app, the easiest way to implement this is to use Cotter, an authentication service like Firebase but focusing on passwordless login. You can make a free account to get your API keys.
Documentation: This is the guide on implementing the FIDO protocol above for Android.
If you'd like to do it yourself, you can check out the Android Keystore System.