I am new to fingerprint authentication in smartphones. As we know Samsung S5 currently supports fingerprint scanner. Is it possible to develop a custom application that can use the scanner to authenticate a user? I just need to know the identity of the user and if he has been authenticated correctly. My app can then take it from there and integrate with backend.
Google has now announced a generic fingerprint API for Android that can be utilised by any custom apps for authorisation and not just the native Google apps. It looks like the future is just getting brighter!
Taken from the Android Developers page linked below:
"To authenticate users via fingerprint scan, get an instance of the new FingerprintManager class and call the authenticate() method."
However you must also include this permission:
<uses-permission android:name="android.permission.USE_FINGERPRINT" />
If you want to find out more information then visit this URL and scroll down to Authentication:
https://developer.android.com/about/versions/marshmallow/android-6.0.html#fingerprint-authentication
Samsung provides Pass API to register, request and validate fingerprints. Its in here SAMSUNG FINGER PRINT API. There is a sample program too.
Fingerprint API preview for Android M is found here with Sample App. As of this writing, Android Compatibility Definition for Android M hasn't been published. So, if fingerprint sensor, the key hardware component of the fingerprint framework, is left as a "SHOULD" requirement (most likely to be true), then OEMs decide either to incorporate the sensor or not. But, since Android Pay is strongly ties to finger print framework, this may drive OEMs to include the fingerprint sensor.
I found this in google samples which demonstrates how you can use registered fingerprints in your app to authenticate the user before proceeding some actions such as purchasing an item.
First you need to create a symmetric key in the Android Key Store using KeyGenerator which can be only be used after the user has authenticated with fingerprint and pass a KeyGenParameterSpec.
By setting KeyGenParameterSpec.Builder.setUserAuthenticationRequired
to true, you can permit the use of the key only after the user
authenticate it including when authenticated with the user's
fingerprint.
Then start listening to a fingerprint on the fingerprint sensor by
calling FingerprintManager.authenticate with a Cipher initialized with
the symmetric key created. Or alternatively you can fall back to
server-side verified password as an authenticator.
Once the fingerprint (or password) is verified, the
FingerprintManager.AuthenticationCallback#onAuthenticationSucceeded()
callback is called.
It requires SDK V23. AFAIK its not useful for Samsung S5 but it might help others to use this feature.
Related
Disclaimer: First of all I'm not an Android developer but a security professional.
My company wants to implement fingerprint authentication in its Android app and I'm wondering if there is any way to log the failed authentication attempts in the application?
According to my current understanding after the application calls the fingerprint authentication API of the OS it does not see how many times the user failed to provide a valid fingerprint, it only waits for a callback containing the key extracted from the keystore in case of successful authentication or a "fingerprint authentication canceled" message if the user decides not to use the fingerprint authentication and fall back to PIN authentication instead (let's suppose that this is implemented).
According to the documentation when you launch the FingerprintManager, you provide a AuthenticationCallback listener.
This listener contain a method onAuthenticationFailed() that will be called every time a correct fingerprint has been detected and that given fingerprint is not registered in the device.
This callback is available since the API 23 in the native Android system and in the compatibility libraries
On this callback we should be able to do whatever you want.
But this may differ if you'r using any third-party library.
I hope that, this will help you.
I am a beginner in android development.I want to create an application having Finger authentication.I want to register multiple users(50) finger prints using finger sensor of phone.Also i want to authenticate it when user logins.Can anyone help us?
FingeprintManager only has these 3 features:
authenticate : for authenticating user
hasEnrolledFingerprints : Determine if there is at least one fingerprint enrolled.
isHardwareDetected : Determine if fingerprint hardware is present and functional.
you can check FingerPrintManager docs here :
https://developer.android.com/reference/android/hardware/fingerprint/FingerprintManager.html
As per Nexus FAQs
Your fingerprint data is stored securely and never leaves your Pixel
or Nexus phone. Your fingerprint data isn't shared with Google or any
apps on your device. Apps are notified only whether your fingerprint
was verified.
which explains very well that you can use fingerprints for verification purpose only. Its just an alternative to any app lock available in marketplace.
I've tried to generate a key pair using the Google sample (BasicAndroidKeyStore). The only modification I made is setting the setUserAuthenticationRequired(true) in the KeyGenParameterSpec.Builder.
I assume it would work fine on a device with the embedded Fingerprint scanner, but running it on OnePlus One (working under Android 6.0), I get the following exception:
At least one fingerprint must be enrolled to create keys requiring user authentication for every use
The phone does have the lock screen set to use the pattern, but apparently it requires fingerprint for the authentication. Any idea how to use API 23 keystore without having the actual Fingerprint reader?
On modern Android devices, the fingerprint scanner is directly linked with the hardware security module.
As a result, there is now a meaningful way to provide isolated encryption that's protected - even on a rooted phone.
Check out these guidelines:
https://developer.android.com/training/articles/keystore#HardwareSecurityModule
An attacker would have to trick a user into swiping their fingerprint in order to unlock stuff... and that's only one decryption or signature per swipe.
This is "pretty good" security, but because of the API limitations and restrictions (notably the lack of ECDH!), most apps that claim to use Android's keychain system don't use the StrongBox. Even those that do won't warn the user when it's not available.
As a result, a jailbreak or zero day can compromise most app keys.
Please consider detecting enrollment, and warning your user that their data is more vulnerable on a device that does not have an enrolled hardware biometry device.
I have also faced same issue with moto devices.
As for now i have done this code. To check before using Fingerprint authentication.
public boolean isFingerprintAuthAvailable() {
//FingerprintManager mFingerprintManager;
return mFingerprintManager.isHardwareDetected()
&& mFingerprintManager.hasEnrolledFingerprints();
}
For more check this sample from which i have implemented. Hope will help you...
I'm implementing fingerprint authentication in an existing Android application making use of FingerprintManagerCompat. I used a tutorial as guidance that can be found here.
(android.support.v4.content.ContextCompat)
As FingerprintManagerCompat makes use of saved fingerprints on the mobile device, any fingerprint on the device can be used to login to the application.
Is it possible to see which one of the fingerprints on the device were used to unlock and if so is there a method to get all saved fingerprints that are available on the device?
I looked around for information on if this is possible and I cant seem to find anything. I have found that Samsung Pass SDK does have functionality to see what fingerprint is used but the product owner does not want the me to use Samsung's Pass SDK as his penetration testing team found that it is not very secure.
Is there a method to get all saved fingerprints that are available on the device?
No.
Is it possible to see which one of the fingerprints on the device were used to unlock
No.
However, there are some limitations to which fingerprints can be used to authenticate within your app. The result of a fingerprint authentication is that you make a cryptographic key available to perform some cryptographic operation (e.g. creating a digital signature). So when you add a user in your app you'd typically create a cryptographic key that you associate with that user. Then later on when the user wants to perform some action that requires him/her to be authenticated, you do the fingerprint authentication, which gives you access to the key, which use can use to do whatever it is that you need to do to verify that the user should be allowed to perform the action.
What happens when a new fingerprint is enrolled is that any existing cryptographic keys that require fingerprint authentication will be permanently invalidated.
That leaves us with the scenario where there are multiple enrolled fingerprint before the user is added in your app. I'm not aware of any way to do anything about this with the current APIs. So the best you can do might be to add some step in your fingerprint-enabling UI flow where the user is asked to verify that only they have enrolled a fingerprint on the device (e.g. by checking a checkbox or clicking a button).
Can we use the FingerprintManager in Android M (API 22) to identify (along with authorize) the user?
For example, there are two finger prints registered in the device, one for user A and one for user B. Does the API provide support to detect which user, A or B, just logged in?
No. In fact, the Android Compatibility Definition for Android 6.0 states in the Fingerprint section (7.3.10):
MUST NOT enable 3rd-party applications to distinguish between individual fingerprints.
Therefore while you could write an app that uses the fingerprint as a mechanism to authenticate the user, any registered fingerprint associated with the current user account could be used.
Android Fingerprint method does not provide fingerprint name or Any unique identity. it treated each registered fingerprint equally and just authenticate only. (valid user or invalid user that's it)
Storage
The fingerprints are tied to the device (from the Nexus FAQ):
Your fingerprint data is stored securely and never leaves your device. Your data is not shared with Google or any apps on your device.
Therefore there is no way for an app to access the fingerprint data to be able to save it or use across the devices.
Suggestion :
To distinguish multiple users or devices, you should use external fingureprint scanner. There's some external fingerprint scanners compatible with Android Platform and with SDK for Android. These SDKs allow to enroll and verify multiple users.