According to this website, it says there is a hashed value for fingerprints. Is there a way to access this hashed value?
http://www.engadget.com/2013/09/22/iphone-5s-fingerprint-sensor-gets-completely-misunderstood/
What about Android?
Thanks for help in advance
Fingerprint data is encrypted and protected with a key available only
to the Secure Enclave. Fingerprint data is used only by the Secure
Enclave to verify that your fingerprint matches the enrolled
fingerprint data. The Secure Enclave is walled off from the rest of
the chip and the rest of iOS. Therefore, iOS and other apps never
access your fingerprint data, it's never stored on Apple servers, and
it's never backed up to iCloud or anywhere else. Only Touch ID uses
it, and it can't be used to match against other fingerprint databases.
https://support.apple.com/en-us/HT204587
Related
The goal is to store a key inside an Android device which is protected by the fingerprint, faceprint, or passcode, depending on which are available.
The key should not be accessible in software without providing a valid fingerprint.
The key should not be stored outside of the device unless a valid fingerprint is provided.
The key should not be accessible outside of hardware, meaning that compromised software implementations should not be able to access the key.
This is similar to the iOS KeyChain.
The question is how this can be achieved. I have done extensive research, and most implementations simply return a boolean to indicate whether biometric authentication was successful.
Any thoughts or ideas are appreciated.
Have you looked at the authenticate(CryptoObject) API? Here's a demo app.
I'm trying to authenticate users to the backend server using fingerprint.
The scenario that I can think of is when user registers with a new account, I should send some sort of a unique identifier to the server related to the fingerprint..
Later the user can send only that unique id to the server to log in with no passwords or emails or any other credentials..
Is that possible?
If so, how?
It is technically possible since it has been done.
As the user registers with or for a new account, you also enroll one or more fingerprints. To do that, a fingerprint scanner is required. (Note that the fingerprint
image that the Android fingerprint reader captures, cannot be "taken" out of the phone. You need an external fingerprint reader.)
Also needed is some sort of SDK for extracting a template from the fingerprint image. (The template is close to what you might be calling the unique identifier, although it might not really be that unique.) The manufacturer of the fingerprint reader, usually also supplies the SDK. If they do not, you'll need a third-party SDK. One can search online for those.
The extracted template is stored on the server alongside other user data. At login, you extract a template from the same finger, transmit it to the server, and search amongst the previously enrolled templates. For that search (identification), you also need some SDK, or some sort of AFIS. There are commercial as well as free offerings (such as sourceAfis).
A better explanation is given in the Wikipedia article.
I am trying to find an answer to the question of, if I have a database of fingerprints or fingerprint hashes, can I use the iOs or Android fingerprint scanners to compare the fingerprint being offered and my database and not against the local fingerprint copy? In practical application I want to enroll people into a program that uses fingerprints to secure the account and i want the exact same fingerprint to allow access to the account on the handheld device.
Thanks
In iOS, you can't. Touch ID scanner uses on system level, you only have access to checking of validation. You can authenticate user with LocalAutentification framework. You can check example from Apple documentation.
I cannot speak to the Android answer of this, but with iOS; No, that is not possible.
Apple restricts the use of Touch ID to it's own internal database per device as a security precaution. You are not able to retrieve, store, or view any fingerprint data from a user. If you want to use Touch ID in your app, you must implement the relevant LocalAuthentication framework from iOS and it will do the work for you. Returning only a grant or deny.
I'm looking into ways to secure data on mobile via fingerprint verification.
The situtation on iOS seems fairly straight-forward by securing data in the Keychain via Touch.
But can something like this be done on Android where a piece of data is secured via a fingerprint? Or would we have to handle the association of data and fingerprint internally within the app?
UPDATE:
So having done a little bit more reading on this on Android I'm assuming the best way of doing this would be to encrypt the data within the app but secure the key being used with FingerprintManager and the Android Keystore?
Yes, you're heading into the right direction ;-)
Basically the Keystore is just for creating / storing key material and cannot be compared to something like the SharedPreferences. You could use the Keystore APIs to create a new cryptographic key which requires user authentication and with the generated key you could then en-/decrypt data. In order to access the key inside the Keystore the user needs to authenticate (e.g. through fingerprint authentication).
I have created a demo project for the new Keystore APIs (including fingerprint authentication) which you can find on GitHub: https://github.com/flschweiger/SafeApp
I've been reading documentation that Android and IOS's fingerprint scanning API stores the user's encrypted fingerprint locally. Is it possible to build an application that captures the user's fingerprint, encrypt it like a password and store it in the cloud?
If this isn't possible, are there any suggested workarounds people have explored in the past?
Thanks.
No, you can't get this info out of the device. All you're able to do is validate whether the fingerprint provided by the user matches one that's enrolled in the device. It's basically binary. The finger is recognized or not.
Typically what you want to do is store some kind of generated token in Keychain or other secure storage; after the user locally authenticates with their fingerprint, you use that stored token to authenticate the user with your server.