I am trying to find an answer to the question of, if I have a database of fingerprints or fingerprint hashes, can I use the iOs or Android fingerprint scanners to compare the fingerprint being offered and my database and not against the local fingerprint copy? In practical application I want to enroll people into a program that uses fingerprints to secure the account and i want the exact same fingerprint to allow access to the account on the handheld device.
Thanks
In iOS, you can't. Touch ID scanner uses on system level, you only have access to checking of validation. You can authenticate user with LocalAutentification framework. You can check example from Apple documentation.
I cannot speak to the Android answer of this, but with iOS; No, that is not possible.
Apple restricts the use of Touch ID to it's own internal database per device as a security precaution. You are not able to retrieve, store, or view any fingerprint data from a user. If you want to use Touch ID in your app, you must implement the relevant LocalAuthentication framework from iOS and it will do the work for you. Returning only a grant or deny.
Related
I have a biometric USB fingerprint sensor for android devices.
I want to develop an application that reads a user's fingerprint via sensor and store it into an SQLite database so that it can be verified when the user login.
So, Are there any tutorials or code samples that explain how to do that?
Thanks In Advance.
Reading users biometric materials and storing them in an SQLite database seems a suspect usage of biometrics on Android. Normally quite a bit of security measures go into collecting a user's biometrics material on Android. On approved Android devices, no third party app can read a user's biometric material. The way it works is the third party app gets confirmation from the Framework that indeed the user registered on the device is the same user who just now authenticated.
It normally goes like this:
User registered their biometric materials with the device usually through the device Settings -- this is securely handled by the device implementation/OEM.
Some time later, a third party app wants a user to authenticate using biometrics.
The app relays the user's wish to the Framework.
The framework handles the authentication. The user, in the case of fingerprint biometrics, taps their fingerprint on the sensor and the sensor checks if the new fingerprint matches a pre-registered template.
The framework tells the third party app yes the fingerprint matches the template that was register with the device -- or no this fingerprint is not recognized. But at no point is the biometric material of a user itself shared with a third party app or allowed to leave the device.
So...yeah, your use case sounds suspect.
You may find more info on recommended implementation here.
I'm trying to authenticate users to the backend server using fingerprint.
The scenario that I can think of is when user registers with a new account, I should send some sort of a unique identifier to the server related to the fingerprint..
Later the user can send only that unique id to the server to log in with no passwords or emails or any other credentials..
Is that possible?
If so, how?
It is technically possible since it has been done.
As the user registers with or for a new account, you also enroll one or more fingerprints. To do that, a fingerprint scanner is required. (Note that the fingerprint
image that the Android fingerprint reader captures, cannot be "taken" out of the phone. You need an external fingerprint reader.)
Also needed is some sort of SDK for extracting a template from the fingerprint image. (The template is close to what you might be calling the unique identifier, although it might not really be that unique.) The manufacturer of the fingerprint reader, usually also supplies the SDK. If they do not, you'll need a third-party SDK. One can search online for those.
The extracted template is stored on the server alongside other user data. At login, you extract a template from the same finger, transmit it to the server, and search amongst the previously enrolled templates. For that search (identification), you also need some SDK, or some sort of AFIS. There are commercial as well as free offerings (such as sourceAfis).
A better explanation is given in the Wikipedia article.
Is it doable to collect user fingerprint with android? Our backend system has a fingerprint database. We'd like to match the fingerprints collected against database to see if there is a match.
If by "collect user fingerprint" you mean getting an image of the fingerprint in some form, then no, you can't.
Android's fingerprint API essentially works like this:
The user enrolls a fingerprint in the Android Settings app.
Your app creates a cryptographic key that it associates with the user, and a CryptoObject based on that key, and starts a fingerprint authentication.
If the fingerprint read by the sensor matches any of the enrolled fingerprints, the authentication is successful and the CryptoObject can be used to perform a cryptographic operation (such as encrypting/decrypting some data).
At no point is the actual fingerprint available to your app, to any other app, or even to the OS.
From Google's fingerprint implementation guidelines to manufacturers:
Raw fingerprint data or derivatives (e.g. templates) must never be accessible from outside the sensor driver or Trusted Execution Environment (TEE).
actually my question is about the possibility to collect multiple
users' fingerprints. i have a database which stores all users'
fingerprints. now i would like to have an app. user can use his
fingerprint to log into my app. is it possible?
Regarding using build-in fingerprint scanner on Android device, I don't think any kind of "collecting" data connected with previously scanned fingerprints is possible. Environment which Android system is using to store and match scanned fingerprints is pretty well sealed (it's called TEE - Trusted Execution Environment) and, according to Android Central article (https://www.androidcentral.com/how-does-android-save-your-fingerprints) there are some basic rules that every company making Android phones with a fingerprint sensor have to follow, among them:
Fingerprint data of any kind must not be backed up to any other
source, including the cloud or your computer or any application
Fingerprint authentication must be used by the process that requested
it (no sharing of any fingerprint data, even just the yes or no
answer to see if it was correct)
So, you can have app, which will have the fingerprint authentication feature, but it will be just "authenticated" or "not authenticated" response, based on fingerprints already enrolled on this device in Settings, without possibility to connect each user with each fingerprint.
I haven't tried this yet, but recent Android OS (Marshmallow) has ability to do that.
"To authenticate users via fingerprint scan, get an instance of the
new FingerprintManager class and call the authenticate() method. Your
app must be running on a compatible device with a fingerprint sensor.
You must implement the user interface for the fingerprint
authentication flow on your app, and use the standard Android
fingerprint icon in your UI. The Android fingerprint icon
(c_fp_40px.png) is included in the Fingerprint Dialog sample. If you
are developing multiple apps that use fingerprint authentication, note
that each app must authenticate the user’s fingerprint independently.
"
https://developer.android.com/about/versions/marshmallow/android-6.0.html
Two restrictions:
Android 6.0 and higher
Fingerprint sensor inside device
Up to date market share of Android 6.0 you can find here:
https://developer.android.com/about/dashboards/index.html
It is possible to do so with an External Fingerprint Scanner.
By External Fingerprint Scanner I am referring to a Fingerprint Scanner that you can use besides the default Fingerprint Scanner that ships with your Android device.
As for an External Fingerprint Scanner, a USB based Fingerprint Scanner would suffice for your use case.
To capture Fingerprint Images which you can send to your Backend System Database from where you can Save them and Compare them with other Fingerprint Images captured by e.g. a Computer, your onboard Fingerprint Scanner would not suffice for such a use case as is mentioned by #Michael's answer. This is where an External Fingerprint Scanner would be your best bet.
To introduce an External Fingerprint Scanner to work with your Android device, you would need to get an OTG cable to interface the USB Fingerprint Scanner to your Android device.
Thereafter, you would have to get the Fingerprint Scanner's Android Biometric API to code an Android Application that can make calls like Fingerprint Capture, Fingerprint Enroll and Fingerprint Authenticate to the Fingerprint Scanner so that you can be able to capture the Fingerprint Images for Biometric Enrollment and Biometric Authentication.
It would be essential to make sure that the relaying of Biometric Fingerprint data over a network to the System Database for Storage or Authentication is happening over a secure dedicated VPN connection after it has first been encrypted before being send over the network that links up the Android device and your Backend System.
Important: Not all Fingerprint Scanners come with Android Biometric APIs that can help you implement Android Biometric Fingerprint Capture or Android Biometric Fingerprint Enrollment. You will need to check that first before you settle on a unit Fingerprint Scanner for your Android Biometric Integration project.
I've been reading documentation that Android and IOS's fingerprint scanning API stores the user's encrypted fingerprint locally. Is it possible to build an application that captures the user's fingerprint, encrypt it like a password and store it in the cloud?
If this isn't possible, are there any suggested workarounds people have explored in the past?
Thanks.
No, you can't get this info out of the device. All you're able to do is validate whether the fingerprint provided by the user matches one that's enrolled in the device. It's basically binary. The finger is recognized or not.
Typically what you want to do is store some kind of generated token in Keychain or other secure storage; after the user locally authenticates with their fingerprint, you use that stored token to authenticate the user with your server.
I'm trying to find a way to support the following scenario with fingerprint scan authentication. I work on an app that is used in an enterprise setting, where a single Android device is likely to be shared by many users. The current fingerprint scan APIs seem to follow a model where a user registers their fingerprint with the device, and then the fingerprint scan library basically just verifies that the fingerprint being scanned matches some known fingerprint stored locally in the device. This model is incompatible with my use case, since each of my users may pick up a different Android device each time they need to use the app. And each device may be used by multiple users.
Are there any ideas for overcoming this problem? I'm thinking along the lines of getting some kind of hash or other unique identifier from the fingerprint scanner, which I could then store in my central database, and each user authentication attempt can be authenticated against this central server. But sadly, it looks like neither Google's api nor vendor specific sdks allow this behavior.
Suggestions/insight would be appreciated.
If a device has a fingerprint sensor, a user can enroll one or more fingerprints and then use their fingerprints to unlock the device and perform other tasks.
Android uses the Fingerprint Hardware Abstraction Layer (HAL) to connect to a vendor-specific library and fingerprint hardware, e.g. a fingerprint sensor.