I am currently working on a mobile application for (Android, ios), which has the following requirement. Please tell me whether I can use the inbuilt finger print reader on latest smart phone, tablet to achieve my requirement.
I have a HRM System running on cloud, where I have the employee details,
Now i am developing an mobile app for employee time attendance, basically application will work in this following steps.
When employee open the app, it will show a finger print login.
Employee will tap the finger on the device, assume it has inbuilt fingerprint reader support.
The mobile application will get the fingerprint tapped and send it via web service to my cloud application for verification. If the verification is done successfully, the cloud app web service will return employee details for the matching finger print.and there after employees can do checkin, check out..
(Assumption, I will be able to store finger prints, relating it with my employee details in remote cloud app where authentication will happen, so i think the device will let me access and save the finger print in remote servers)..
The fingerprint reader on iOS devices can only return a yes/no that indicates whether the finger presented matched a fingerprint enrolled on the device.
Actual fingerprint data is stored securely in the hardware and is not available to the operating system or apps.
So, the short answer to your question is "No" on iOS.
From the iOS Security Guide
The fingerprint sensor is active only when the capacitive steel ring that surrounds the Home button detects the touch of a finger, which triggers the advanced imaging array to scan the finger and send the scan to the Secure Enclave.
The raster scan is temporarily stored in encrypted memory within the Secure Enclave while being vectorized for analysis, and then it’s discarded. The analysis utilizes subdermal ridge flow angle mapping, which is a lossy process that discards minutia data that would be required to reconstruct the user’s actual fingerprint. The resulting map of nodes is stored without any identity information in an encrypted format that can only be read by the Secure Enclave, and is never sent to Apple or backed up to iCloud or iTunes.
Related
Edit: -
Look is it just me or doesn't the W3C spec say this should be happening already: -
1.2.2. Authentication
On a laptop or desktop:
User pairs their phone with the laptop or desktop via Bluetooth.
User navigates to example.com in a browser and initiates signing in.
User gets a message from the browser, "Please complete this action on your phone."
Next, on their phone:
User sees a discrete prompt or notification, "Sign in to example.com."
User selects this prompt / notification.
User is shown a list of their example.com identities, e.g., "Sign in as Mohamed / Sign in as 张三".
User picks an identity, is prompted for an authorization gesture (PIN, biometric, etc.) and provides this.
Now, back on the laptop:
Web page shows that the selected user is signed in, and navigates to the signed-in page.
===============
My WebAuthn code happily interacts with Windows Hello for user verification via PIN. My Samsung Android phone happily interacts with the https://webauthn.appspot.com demo and accepts fingerprint verification.
But I can't seem to use my phone as an Security key like a YubiKey connected on my computer?
I can pair it with the PC via Bluetooth or tether it with a USB cable, but Windows will not recognize it as a security key.
Is this possible, or is the functionality restricted?
If we could use our phone as security keys, we'd need no special dongles for platform agnostic authentication.
In order for that to work, the phone device manufacturer would have to either always present itself as a FIDO2 authenticator, or have some sort of switch that allows it to change mode, kind of like how you can configure USB connection to be for charging or for data transfer. I don't see any technical reason why that could not be done, in fact it's come up multiple times in various discussions, but to my knowledge that is not an Android feature, at least not yet.
For that either smartphone OS or a 3rd party application needs to implement CTAP protocol to receive and process authentication operations on the phone. Currently, Android does - but not in a way to be used as a cross-platform authenticator to not stick to only one PC.
For 3rd party apps, there are some certified solutions that are listed on the FIDO Alliance website as certified authenticators.
I recently find that the PIXEL phone can do this.
When you open a FIDO2 Web via Chrome or Edge, it will prompt a dialog shows add Android Phone. Click it and a QR code(FIDO:/AAACCC...) appeared. Scan the QR Code by your Pixel Camera (registered FIDO2 Token).
Magic...
A push notify show on the Pixel. Click it and wait and scan FP. Finally your WebAuthn web Verify OK via BT.
The only question for me is what kinds of Andoid phones can support this scnerio.
Can any other phone except Pixel support scan the QRCode(FIDO:/....).
I want a cheap Biometric system using any (cheap) Android mobile in which whoever presses the thumb, my android code should get authenticated callback with some unique person code(this is optional though).
But question is whether we can change the Android setting to allow storing of 100-500 people's finger prints? Usually mobiles only allow upto 5 fingerprints to be stored.
my android code should get authenticated callback with some unique person code
Android does not support this. You only find out whether the user authenticated or not.
whether we can change the Android setting to allow storing of 100-500 people's finger prints?
Android does not support this.
I'm a beginner to Flutter and programming in general.
First I'd like to know if it's possible to notify the creator of an app or it's back end service that a fingerprint has been deregistered and a new one added.
Note: The objective is not to get fingerprint data but to uniquely identify people in one way or the other. For example assuming an app would like to manage dormitories that have a closing time of say 9 pm and intends to generate a report of everyone present inside by using their device location and a service on a local network that checks location data and asks for a fingerprint authentication, there's every possibility that users could leave their devices to other users and register their fingerprints as well allowing them to provide authentication and creating inaccurate reports for the dormitory.
Please any suggestions for the above situation?
There is no support for "detecting de-registration" directly. Even if it were, it would not be useful.
tldr; Access, guarded by a device-secret fingerprint or otherwise, from an arbitrary and uncontrolled device cannot be used to guarantee that the person who 'owns' the device is present. It is the data governance regulations (EULA, company/dorm policy, etc.) and trust in the user to adhere to such, including reporting violations, which allows the device-to-person assertion.
On a mobile device, fingerprint authentication is effectively a per-device secret than can accept any of the registered fingerprints which is used to protect other access/secrets.
Consider:
Fingerprints are not accessible directly by applications and thus cannot be used as "user IDs".
Each device uses a private per-device key to encrypt and store the fingerprint information. This information is not accessible externally nor is it uploaded.
See 'Secure Enclave' for iOS and 'Trusted Execution Environment' for Android.
A person can have multiple fingerprints registered per device. This implies that multiple fingerprints from different people can be added and there is no way to determine the difference. Likewise, a person could register a fingerprint for a different finger on multiple devices.
The encoding of a fingerprint is a "one way" data modeling that accepts the fingerprint as registered. The actual fingerprint data will differ, even before it's securely saved: it is only the application of this model onto the fingerprint pattern being applied that is useful.
Now, if there was a physically controlled device / system ..
An example of a physically controlled system might be usages of fixed terminals controlling single-person entry/exit doors (with security cameras and/or a physical guard) where people can only register a fingerprint in front of a trusted person after appropriate ID verification.. how much does it really matter? And what happens when a person climbs through a window?
Having the app take a detailed face / eye scan off a live camera and sending it in to a controlled server for some internal biometric-based verification might be some [draconian] half-way step .. I'd say "No Thanks" ;-)
On iOS, if something is protected by fingerprint or faceID, the developer can set an option that the data can only be accessed if the set of registered fingerprints/ faces is unchanged. So you could send a one-time code that the user puts in their keychain, and if the change registered fingerprints, it’s gone. Now if I registered fingerprints of myself and my three best mates, you can’t detect that.
Im developping an application with android studio, the application is for attendance using fingerprint and I want be able to register fingerprint of users using a desktop application and the fingerprint will be registered from a physical fingerprint reader, data encrypted from it will be stored in a Mysql database. So I want users to use their android phone with fingerprint sensor to respond the attendance. Actually I dont know if it is possible to compare encrypted fingerprint from android phone and for this coming from the physical fingerprint reader.
What I need is just ideas on encryption or comparison between those two sources of data.
Thank you
From what I can understand is that you are trying to develop an application with two ends.
One for the fingerprint enrollment from a desktop application.
One for matching the fingerprint to a probe fingerprint of an individual from an Android Device.
See what you are trying to achieve is a bit nearly impossible as #Michael clearly stated.
The answer is a bit elaborated. (The boring but detailed stuff)
For the enrollment part, if you are using a physical fingerprint reader, that device will definitely provide you with a fingerprint image along with some ISO templates of the fingerprint whose name shall be kept unique by you and it's name can be stored in the Database. Let's call this ISO as gallery ISO.
For the verification part, there are two approaches.
1:1 fingerprint match(the person first claims to be someone and places his/her fingerprint on a verification device to confirm the claim) and 1:N fingerprint match (the person doesn't tell your verification system who is he/she, but simply places his/her fingerprint on the device and the system searches for a probable fingerprint match)
Android devices store a fingerprint which cannot be accessed by the API, all you can achieve is that either a YES or NO. That the fingerprint is enrolled in the device or not.
You will have to use the same physical scanner connected to an USB OTG to the android device, if the physical scanner provides the SDK to support android device then it's fine else you cannot just have the same ISO template from any other scanner.
However there is a standard template and most of the scanners generate it.
Like ISO-19794-2/FMR
The ISO generated at the verification end shall be called a (PROBE ISO).
Your fingerprint scanner's SDK shall really provide you a function like below:
long score = CompareISOs(byte[] GalleryISO,byte[] ProbeISO);
The "score" gives out a value which tells you how much confidence is the scanner that the two ISO templates are same and SDK must also provide you with a threshold like say 800.
so if score anytime after comparison is greater than 800. You have a match.
This is 1:1 verification.
one-to-n is a way more hectic task and requires much complex SDK like ABIS. That I shall leave as a research topic for you.
I hope my answer helps you to some level. I came along this question and decided to reply because you genuinely asked for some ideas. I hope this helps you to kick start your research on fingerprints.
Kudos!
Well this is a question which many of them have asked. But it seems that there is no way we can read finger print scan and save it to our local database (as the answers in those questions suggest here: https://stackoverflow.com/a/36022446/5675550 , https://stackoverflow.com/a/38179087/5675550).
I have made a sample app which scans user's finger print and authenticates users buy using android's native FingerprintManager.
I still want to know whether it is possible to read finger print and save it to the app's database and and maintain multiple user authentication. Like for example if User1 taps his finger print, the app should identify as User1 and if User2 does the same, the app should identify as User2.
It's possible with an external fingerprint readers with specific SDK, for instance:
https://www.crossmatch.com/biometric-identity-solutions/products/hardware/single-finger-modules/
https://www.morpho.com/fr/terminaux-biometriques/capteurs-de-bureau/capteurs-dempreinte-usb/morphosmart-serie-300
Or with specific Android Devices with specific SDK, for instance:
http://logic-instrument.com/fr/fieldbook-m-series.php
https://www.coppernic.fr/pda/c-one-e-id/
It's not possible on consumer market devices.