I'm trying to find a way to support the following scenario with fingerprint scan authentication. I work on an app that is used in an enterprise setting, where a single Android device is likely to be shared by many users. The current fingerprint scan APIs seem to follow a model where a user registers their fingerprint with the device, and then the fingerprint scan library basically just verifies that the fingerprint being scanned matches some known fingerprint stored locally in the device. This model is incompatible with my use case, since each of my users may pick up a different Android device each time they need to use the app. And each device may be used by multiple users.
Are there any ideas for overcoming this problem? I'm thinking along the lines of getting some kind of hash or other unique identifier from the fingerprint scanner, which I could then store in my central database, and each user authentication attempt can be authenticated against this central server. But sadly, it looks like neither Google's api nor vendor specific sdks allow this behavior.
Suggestions/insight would be appreciated.
If a device has a fingerprint sensor, a user can enroll one or more fingerprints and then use their fingerprints to unlock the device and perform other tasks.
Android uses the Fingerprint Hardware Abstraction Layer (HAL) to connect to a vendor-specific library and fingerprint hardware, e.g. a fingerprint sensor.
Related
I have a biometric USB fingerprint sensor for android devices.
I want to develop an application that reads a user's fingerprint via sensor and store it into an SQLite database so that it can be verified when the user login.
So, Are there any tutorials or code samples that explain how to do that?
Thanks In Advance.
Reading users biometric materials and storing them in an SQLite database seems a suspect usage of biometrics on Android. Normally quite a bit of security measures go into collecting a user's biometrics material on Android. On approved Android devices, no third party app can read a user's biometric material. The way it works is the third party app gets confirmation from the Framework that indeed the user registered on the device is the same user who just now authenticated.
It normally goes like this:
User registered their biometric materials with the device usually through the device Settings -- this is securely handled by the device implementation/OEM.
Some time later, a third party app wants a user to authenticate using biometrics.
The app relays the user's wish to the Framework.
The framework handles the authentication. The user, in the case of fingerprint biometrics, taps their fingerprint on the sensor and the sensor checks if the new fingerprint matches a pre-registered template.
The framework tells the third party app yes the fingerprint matches the template that was register with the device -- or no this fingerprint is not recognized. But at no point is the biometric material of a user itself shared with a third party app or allowed to leave the device.
So...yeah, your use case sounds suspect.
You may find more info on recommended implementation here.
Is that possible to program a Samsung Device fingerprint reader to read and store multiple fingerprints for third-party app use, not for device functionality?
I would store it in my own database. In other words, I am interested in using the fingerprint reader to read and save in my database multiple users fingerprints through an app.
If anyone knows someone capable of doing this I am interested in the service.
Thank you
You need to use external fingerprint sensor with specific Android SDK or a a specific Android device embedding fingerprint sensor with specific SDK.
It's not possible with consumer-market Android devices.
Here features of Samsung Pass SDK:
You can use the Pass SDK to (source):
Request fingerprint recognition
Cancel fingerprint recognition requests
Verify whether the fingerprint of the current user matches the fingerprint registered on the device
Register fingerprints through the Enroll screen
Get the index of the identified fingerprint from the array of registered fingerprints
Set the index of the fingerprint for recognition requests
Add a title for the user interface
Add a logo icon for the user interface
Set the transparency of elements outside the user interface
Set whether the user interface is dismissed or not when touching elements outside it
Broadcast actions when registered fingerprint is changed
Get the guide for poor quality
Set the button for the user interface
Change the standby string for the user interface
I am trying to find an answer to the question of, if I have a database of fingerprints or fingerprint hashes, can I use the iOs or Android fingerprint scanners to compare the fingerprint being offered and my database and not against the local fingerprint copy? In practical application I want to enroll people into a program that uses fingerprints to secure the account and i want the exact same fingerprint to allow access to the account on the handheld device.
Thanks
In iOS, you can't. Touch ID scanner uses on system level, you only have access to checking of validation. You can authenticate user with LocalAutentification framework. You can check example from Apple documentation.
I cannot speak to the Android answer of this, but with iOS; No, that is not possible.
Apple restricts the use of Touch ID to it's own internal database per device as a security precaution. You are not able to retrieve, store, or view any fingerprint data from a user. If you want to use Touch ID in your app, you must implement the relevant LocalAuthentication framework from iOS and it will do the work for you. Returning only a grant or deny.
Is it doable to collect user fingerprint with android? Our backend system has a fingerprint database. We'd like to match the fingerprints collected against database to see if there is a match.
If by "collect user fingerprint" you mean getting an image of the fingerprint in some form, then no, you can't.
Android's fingerprint API essentially works like this:
The user enrolls a fingerprint in the Android Settings app.
Your app creates a cryptographic key that it associates with the user, and a CryptoObject based on that key, and starts a fingerprint authentication.
If the fingerprint read by the sensor matches any of the enrolled fingerprints, the authentication is successful and the CryptoObject can be used to perform a cryptographic operation (such as encrypting/decrypting some data).
At no point is the actual fingerprint available to your app, to any other app, or even to the OS.
From Google's fingerprint implementation guidelines to manufacturers:
Raw fingerprint data or derivatives (e.g. templates) must never be accessible from outside the sensor driver or Trusted Execution Environment (TEE).
actually my question is about the possibility to collect multiple
users' fingerprints. i have a database which stores all users'
fingerprints. now i would like to have an app. user can use his
fingerprint to log into my app. is it possible?
Regarding using build-in fingerprint scanner on Android device, I don't think any kind of "collecting" data connected with previously scanned fingerprints is possible. Environment which Android system is using to store and match scanned fingerprints is pretty well sealed (it's called TEE - Trusted Execution Environment) and, according to Android Central article (https://www.androidcentral.com/how-does-android-save-your-fingerprints) there are some basic rules that every company making Android phones with a fingerprint sensor have to follow, among them:
Fingerprint data of any kind must not be backed up to any other
source, including the cloud or your computer or any application
Fingerprint authentication must be used by the process that requested
it (no sharing of any fingerprint data, even just the yes or no
answer to see if it was correct)
So, you can have app, which will have the fingerprint authentication feature, but it will be just "authenticated" or "not authenticated" response, based on fingerprints already enrolled on this device in Settings, without possibility to connect each user with each fingerprint.
I haven't tried this yet, but recent Android OS (Marshmallow) has ability to do that.
"To authenticate users via fingerprint scan, get an instance of the
new FingerprintManager class and call the authenticate() method. Your
app must be running on a compatible device with a fingerprint sensor.
You must implement the user interface for the fingerprint
authentication flow on your app, and use the standard Android
fingerprint icon in your UI. The Android fingerprint icon
(c_fp_40px.png) is included in the Fingerprint Dialog sample. If you
are developing multiple apps that use fingerprint authentication, note
that each app must authenticate the user’s fingerprint independently.
"
https://developer.android.com/about/versions/marshmallow/android-6.0.html
Two restrictions:
Android 6.0 and higher
Fingerprint sensor inside device
Up to date market share of Android 6.0 you can find here:
https://developer.android.com/about/dashboards/index.html
It is possible to do so with an External Fingerprint Scanner.
By External Fingerprint Scanner I am referring to a Fingerprint Scanner that you can use besides the default Fingerprint Scanner that ships with your Android device.
As for an External Fingerprint Scanner, a USB based Fingerprint Scanner would suffice for your use case.
To capture Fingerprint Images which you can send to your Backend System Database from where you can Save them and Compare them with other Fingerprint Images captured by e.g. a Computer, your onboard Fingerprint Scanner would not suffice for such a use case as is mentioned by #Michael's answer. This is where an External Fingerprint Scanner would be your best bet.
To introduce an External Fingerprint Scanner to work with your Android device, you would need to get an OTG cable to interface the USB Fingerprint Scanner to your Android device.
Thereafter, you would have to get the Fingerprint Scanner's Android Biometric API to code an Android Application that can make calls like Fingerprint Capture, Fingerprint Enroll and Fingerprint Authenticate to the Fingerprint Scanner so that you can be able to capture the Fingerprint Images for Biometric Enrollment and Biometric Authentication.
It would be essential to make sure that the relaying of Biometric Fingerprint data over a network to the System Database for Storage or Authentication is happening over a secure dedicated VPN connection after it has first been encrypted before being send over the network that links up the Android device and your Backend System.
Important: Not all Fingerprint Scanners come with Android Biometric APIs that can help you implement Android Biometric Fingerprint Capture or Android Biometric Fingerprint Enrollment. You will need to check that first before you settle on a unit Fingerprint Scanner for your Android Biometric Integration project.
I am looking for retrieving Fingerprint data to be sent to server backend. My application is used by sales team and whenever there is new customer, the sales will ask customer to scan his fingerprint (and eventually send them to corporate server).
Is it possible to do it using latest API/SDK available out there?
AFAIK, Samsung SDK doesn't provide it, nor Android Marhsmallow.
Neither, the fingerprint image nor its features are accessible by the API. From Android website I quote:
Thus, raw images and processed fingerprint features must not be passed in untrusted memory. All such biometric data needs to be secured within sensor hardware or trusted memory. (Memory inside the TEE is considered as trusted memory; memory outside the TEE is considered untrusted.)
I seriously doubt you can get raw fingerprint data because it is used as an authentication method.
In the same way that you can't retrieve the device password, you won't be able to get fingerprint data. It would be a significant security risk to do so.
As mentioned before, the Fingerprint API's won't allow you access to the raw data.
But there is a different solution. Don't use the Fingerprint scanner. Instead use the camera.