I'm implementing fingerprint authentication in an existing Android application making use of FingerprintManagerCompat. I used a tutorial as guidance that can be found here.
(android.support.v4.content.ContextCompat)
As FingerprintManagerCompat makes use of saved fingerprints on the mobile device, any fingerprint on the device can be used to login to the application.
Is it possible to see which one of the fingerprints on the device were used to unlock and if so is there a method to get all saved fingerprints that are available on the device?
I looked around for information on if this is possible and I cant seem to find anything. I have found that Samsung Pass SDK does have functionality to see what fingerprint is used but the product owner does not want the me to use Samsung's Pass SDK as his penetration testing team found that it is not very secure.
Is there a method to get all saved fingerprints that are available on the device?
No.
Is it possible to see which one of the fingerprints on the device were used to unlock
No.
However, there are some limitations to which fingerprints can be used to authenticate within your app. The result of a fingerprint authentication is that you make a cryptographic key available to perform some cryptographic operation (e.g. creating a digital signature). So when you add a user in your app you'd typically create a cryptographic key that you associate with that user. Then later on when the user wants to perform some action that requires him/her to be authenticated, you do the fingerprint authentication, which gives you access to the key, which use can use to do whatever it is that you need to do to verify that the user should be allowed to perform the action.
What happens when a new fingerprint is enrolled is that any existing cryptographic keys that require fingerprint authentication will be permanently invalidated.
That leaves us with the scenario where there are multiple enrolled fingerprint before the user is added in your app. I'm not aware of any way to do anything about this with the current APIs. So the best you can do might be to add some step in your fingerprint-enabling UI flow where the user is asked to verify that only they have enrolled a fingerprint on the device (e.g. by checking a checkbox or clicking a button).
Related
In the process of starting using Android Keystore in my app, I was going through the documentation of setUserAuthenticationRequired(boolean) api, which states that :
Additionally, if the key requires that user authentication takes place for every use of the key (see setUserAuthenticationValidityDurationSeconds(int)), at least one fingerprint must be enrolled (see hasEnrolledFingerprints()).
I am curious why fingerprint is enforced here.
Why am I not allowed to use normal device lock if I want user authentication to take place for every use of the key?
Following this tutorial on fingerprint authentication I should check for KeyguardManager.isKeyguardSecure() before letting users authenticate with fingerprint.
Why should I do this?
Most device manufacturers require a secure lock screen type (PIN, password, pattern) in order to use fingerprints. When changing the lock screen type to an insecure one (None, Swipe or other mode which does not authenticate the user) the fingerprints are removed.
On Samsung devices this is handled differently, by providing the user the possibility to not delete the fingerprints (and secure them with an additional password). Thereby, the user can still use the fingerprints in applications.
In case you want to allow those users, with a Samsung device, to use fingerprint authentication (in your app) even though they don't have set a secure lock screen type, you don't need to check if KeyguardManager.isKeyguardSecure() returns true.
Later in the code, the tutorial uses setUserAuthenticationRequired(true), which won't work if there is no secure keyguard.
I am a newbie in android development
I am developing an android app that allow people using fingerprint to check-in. The idea is, for instance, a class need student check-in on time everyday. Student have to register their fingertip to identify with application.
I don't know whether android support my application? I just saw that fingerprint identify using registered user's finger.
Could you please help me some idea?
Thank you so much.
Android supports detecting more than one fingerprint.
Eg:Coolpad note 3 detects 5 different fingerprints and we can assign different actions to each fingerprint.
i.e one for unlock screen,one for camera.
Detecting and authentication of different fingerprint is based on how you code your application.So go forward.
You can find here the code for the implentation of Fingerprint authentication in an app
remember one thing that,here you can login in your app only using the fingerprint that you have used for the device's screen lock.
Android authorizes or verifies a user if the fingerprint was previously registered through Android settings. Meaning, you can't add new fingerprints through your app.
The KeyStore save all the keys and use the Keystore private key to sign transactions / data. Meaning, you cannot differentiate users through your app.
Can we use the FingerprintManager in Android M (API 22) to identify (along with authorize) the user?
For example, there are two finger prints registered in the device, one for user A and one for user B. Does the API provide support to detect which user, A or B, just logged in?
No. In fact, the Android Compatibility Definition for Android 6.0 states in the Fingerprint section (7.3.10):
MUST NOT enable 3rd-party applications to distinguish between individual fingerprints.
Therefore while you could write an app that uses the fingerprint as a mechanism to authenticate the user, any registered fingerprint associated with the current user account could be used.
Android Fingerprint method does not provide fingerprint name or Any unique identity. it treated each registered fingerprint equally and just authenticate only. (valid user or invalid user that's it)
Storage
The fingerprints are tied to the device (from the Nexus FAQ):
Your fingerprint data is stored securely and never leaves your device. Your data is not shared with Google or any apps on your device.
Therefore there is no way for an app to access the fingerprint data to be able to save it or use across the devices.
Suggestion :
To distinguish multiple users or devices, you should use external fingureprint scanner. There's some external fingerprint scanners compatible with Android Platform and with SDK for Android. These SDKs allow to enroll and verify multiple users.
I am new to fingerprint authentication in smartphones. As we know Samsung S5 currently supports fingerprint scanner. Is it possible to develop a custom application that can use the scanner to authenticate a user? I just need to know the identity of the user and if he has been authenticated correctly. My app can then take it from there and integrate with backend.
Google has now announced a generic fingerprint API for Android that can be utilised by any custom apps for authorisation and not just the native Google apps. It looks like the future is just getting brighter!
Taken from the Android Developers page linked below:
"To authenticate users via fingerprint scan, get an instance of the new FingerprintManager class and call the authenticate() method."
However you must also include this permission:
<uses-permission android:name="android.permission.USE_FINGERPRINT" />
If you want to find out more information then visit this URL and scroll down to Authentication:
https://developer.android.com/about/versions/marshmallow/android-6.0.html#fingerprint-authentication
Samsung provides Pass API to register, request and validate fingerprints. Its in here SAMSUNG FINGER PRINT API. There is a sample program too.
Fingerprint API preview for Android M is found here with Sample App. As of this writing, Android Compatibility Definition for Android M hasn't been published. So, if fingerprint sensor, the key hardware component of the fingerprint framework, is left as a "SHOULD" requirement (most likely to be true), then OEMs decide either to incorporate the sensor or not. But, since Android Pay is strongly ties to finger print framework, this may drive OEMs to include the fingerprint sensor.
I found this in google samples which demonstrates how you can use registered fingerprints in your app to authenticate the user before proceeding some actions such as purchasing an item.
First you need to create a symmetric key in the Android Key Store using KeyGenerator which can be only be used after the user has authenticated with fingerprint and pass a KeyGenParameterSpec.
By setting KeyGenParameterSpec.Builder.setUserAuthenticationRequired
to true, you can permit the use of the key only after the user
authenticate it including when authenticated with the user's
fingerprint.
Then start listening to a fingerprint on the fingerprint sensor by
calling FingerprintManager.authenticate with a Cipher initialized with
the symmetric key created. Or alternatively you can fall back to
server-side verified password as an authenticator.
Once the fingerprint (or password) is verified, the
FingerprintManager.AuthenticationCallback#onAuthenticationSucceeded()
callback is called.
It requires SDK V23. AFAIK its not useful for Samsung S5 but it might help others to use this feature.