I am using confirm credentials api in my app to authenticate user, using createConfirmDeviceCredentialIntent api.
The api is working fine when I have set up my device lock as pin/pattern/password or fingerprint. But, it's not working in the case of face unlock. I've set face unlock in my device and it's working fine when opening the device. But when I launch the intent using the above mentioned api, it's not recognizing face unlock but all the other things.
Is this a limitation of this api? or I've to do something extra to achieve this?
Can't find this anywhere so posting here.
Unfortunately, this isn't possible because unlocking using your face is part of the Smart Lock set of unlock tools.
Other methods of unlocking that fall under the Smart Lock category include:
On-body detection
Trusted places
Trusted devices
Trusted face (the method in question)
Trusted voice
Because none of these are primitive security methods in Android, it does not make sense to allow these to be accessed using APIs.
If Smart Lock could be used with Keyguard, on-body detection would be in theory be able to grant access to an app, being in a trusted place (but not in the hands of a trusted person) and even trusted voice could be used.
Apple and Face ID can allow this because Face ID is a primitive security method for the iPhone X, as the data used to unlock the device is kept in the Secure Enclave, in the same way that Touch ID data is.
I hope this gives you enough reason as to why this isn't possible, and why it makes sense that this isn't possible.
Sources:
Keyguard (stating unlock methods allowed to be used), Smart Lock, Face ID
BiometricPrompt is introduced in API 28. It will support fingerprint, Iris and face authentication.
Here's an example of how a developer might use it in their app
java.lang.Object
↳ android.hardware.biometrics.BiometricPrompt
Using the BiometricPrompt builder we can:
setTitle() — Set the title to display (Required)
setSubtitle() — Set the subtitle to display (Optional)
setDescription() — Set the description to display(Optional)
setNegativeButton() — Set the text for the negative button(Required).
You must also provide an Executor instance and a click listener for the negative button.
Note: You can’t customise the icon or error message that are used within the dialog.
implementation 'androidx.biometric:biometric:1.0.0-beta01'
Latest Release
GitHub source code available here NativeBiometricScanner developed in Kotlin
Related
I want to enable fingerprint and face unlock for my application. I have fingerprint unlock code and it is working fine if the user is already registered his fingerprint.
I want to enable the same feature for face unlock as well. If the user has already enrolled his face id, then he should be able to authenticate the app with face unlock. I don't want to create any library here, I just want to invoke the device face unlock app and authenticate.
Starting with Android P, you can use the BiometricPrompt API - it will automatically support whichever biometric authentication mechanism is physically present on the user's phone.
See this blog post for a brief overview of the feature, and the docs for how to implement this. This blog post contains a walk-through of all the steps to implement this.
I am developing a Hybrid application for which once the user enters the username and password initially after successful login the user is prompted with a dialog box asking whether to enable FaceID unlocking or not. If the User presses Yes next time the user will directly will be asked to scan the face instead of username and password. In iOS i am successful in doing this.
But how to implement the same in the Android using Cordova. Is there any specific plugin to enable it. If it is there please help me with the plugin or If not please specify the reason.
It is not possible to achieve the same capabilities of the Face Id to unlock an app on Android, so it wouldn't be possible even using Android native app.
Android uses the keymanager to achieve unlocking capabilities on apps, using primitive authentication methods. That allows you to use pin code or fingerprint authentication. At this time, face recognition is not available yet.
Apple and Face ID can allow this because Face ID is a primitive security method for the iPhone X, as the data used to unlock the device is kept in the Secure Enclave, in the same way that Touch ID data is.
My guess is that Android will follow Apple's steps and implement a solution like Face ID for authentication in one of Android's next versions (not on Android P), but until then, if you really must have face recognition to unlock your app, you can try using 3rd-party libraries, but none will fully achieve the Face Id native capabilitues
Sources:
Related stackoverflow article
Android Keyguard docs
Third party image recognition cordova plugin
Face ID on Android adoption
I am using the plugin called cordova-plugin-keychain-touch-id and it works both for face and touch.
Be aware that some Android phone both have face and touch, and if both are enabled, it returns OKin stead of touch or face.
Also with Android's OREO OS made it possible for older Android phone to login with face biometrics using something called "Trusted Face".
I am still having some issues with face login activation on the phones where both are enabled and with the trusted face, but maybe you (or someone else) have a solution for this :)
Good luck!
I have a use case that requires the user to confirm device credential, and the createConfirmDeviceCredentialIntent method in KeyguardManager perfectly meets my need. However, this method was added since API 21.(reference link) So how can I achieve the same functionality before Android 5.0? I also want to support versions like Android 4.X.
Thanks!
Before 21 level this is certainly not possible on non-rooted device and there is no alternative with regular permissions.
If it is ok to require extra admin permissions, it is probably possible to emulate credential confirmation very loosely, with much more effort, by implementing DeviceAdminReceiver.onPasswordSucceeded. Lock the screen, when password succeeded perform the required action. This may turn out to be relatively complex because the action is not always received (only if status has changed), need to keep last success, communicate with receiver, etc.
As a side note, double check the use case and your design, in most cases when createConfirmDeviceCredentialIntent is used it is actually not required and other design choices may eliminate the need for it.
It was better to provide details of what exactly you are trying to protect. If it is a scenario for accidental access to the device by an unauthorized person and a permanent token is generated, say, from some oauth service, it may be reasonable either to reauthorize through the same service login flow or to store some hmac of original credentials along with token then prompt and re-validate credentials instead of prompting for device credentials. Alternatively, if that is enough for use case, you can use google login to authorize access to your app/token and verify google user is the same for the stored token.
The best answer I have seen for this situation is described in a blog post:
Android Secrets
However, it recreates system classes that are private and calls AOSP code that is not public. My bounty is for a better answer that would not require explicit Class naming inside the project. Perhaps Smart Lock or another awesome security library can be used for the backward compatibility I require.
I've tried to generate a key pair using the Google sample (BasicAndroidKeyStore). The only modification I made is setting the setUserAuthenticationRequired(true) in the KeyGenParameterSpec.Builder.
I assume it would work fine on a device with the embedded Fingerprint scanner, but running it on OnePlus One (working under Android 6.0), I get the following exception:
At least one fingerprint must be enrolled to create keys requiring user authentication for every use
The phone does have the lock screen set to use the pattern, but apparently it requires fingerprint for the authentication. Any idea how to use API 23 keystore without having the actual Fingerprint reader?
On modern Android devices, the fingerprint scanner is directly linked with the hardware security module.
As a result, there is now a meaningful way to provide isolated encryption that's protected - even on a rooted phone.
Check out these guidelines:
https://developer.android.com/training/articles/keystore#HardwareSecurityModule
An attacker would have to trick a user into swiping their fingerprint in order to unlock stuff... and that's only one decryption or signature per swipe.
This is "pretty good" security, but because of the API limitations and restrictions (notably the lack of ECDH!), most apps that claim to use Android's keychain system don't use the StrongBox. Even those that do won't warn the user when it's not available.
As a result, a jailbreak or zero day can compromise most app keys.
Please consider detecting enrollment, and warning your user that their data is more vulnerable on a device that does not have an enrolled hardware biometry device.
I have also faced same issue with moto devices.
As for now i have done this code. To check before using Fingerprint authentication.
public boolean isFingerprintAuthAvailable() {
//FingerprintManager mFingerprintManager;
return mFingerprintManager.isHardwareDetected()
&& mFingerprintManager.hasEnrolledFingerprints();
}
For more check this sample from which i have implemented. Hope will help you...
I would like to be able to query, via my application, whether or not the user has enabled a password or pin on their lock screen. How can I go about doing this?
I've looked into How to detect if PIN/password/pattern is required to unlock phone? but this only seems to tell me whether the device has a pattern lock screen. I'd specifically like to know if the user has enabled something more secure, e.g. a pin or password. (I would be ok if it returned true for all of these cases, but it actually returns false in the case where the user has a numeric PIN or alphanumeric password, but not a pattern lockscreen).
I'm thinking I could use the Device Management API, but I'm not entirely sure how to go about setting this up. Moreover, this seems to be targeted at developers of enterprise-level applications, who want to enforce certain policies on their clients. I'm a small app developer, and because it has security ramifications on what I'm doing, I'd just like to be able to detect if a user has already enabled these features.
This "Stackoverflow: Check for lock" link can help you out with using the Device Management API. It's odd that there's only direct support for pattern lock screen recognition, but nothing I've found suggested otherwise.
The link below also has a link to a grepcode page, which could further help you out. The most recent answer shows that you basically do a getLong() to get the value of the security settings. From there, you simply run whatever code you planned on running, based off of the number you get back!