BiometricPrompt iris and face prompt is not working with Crypto object authentication. #AndroidX - McMap

About

BiometricPrompt iris and face prompt is not working with Crypto object authentication. #AndroidX

Asked 28/11, 2019 at 13:46 Answered 20/1, 2023 at 11:18

android face-detection android-x86 android-biometric-prompt

A

2

10

Issue

Biometric authentication iris and face-detection is not prompting with biometricPrompt.authenticate(**crypto**, promptInfo) call.

Source reference:

Securing data with BiometricPrompt (19 May 2019)
One Biometric API Over all Android (30 October 2019)
Biometrich API

Device used for testing:

Samsung S8 (Android OS 9)

Steps of Authentication I'm following:

val biometricPrompt = BiometricPrompt(...)
val promptInfo = BiometricPrompt.PromptInfo.Builder()...
biometricPrompt.authenticate(promptInfo) (PFA: option A, B)

and there is another authentication method which take cipher object to make sure

biometricPrompt.authenticate(crypto, promptInfo). (PFA: option C)

Everything worked just as expected with new and older API device support. Until unless realize tested application for other biometric authentication option iris and using face detection.

If I follow

biometricPrompt.authenticate(promptInfo) then application simply display authentication option based on user preference which he has to choose from Device Setting -> Biometric preference. And perform authentication independently. (PFA: option A, B)
But if use biometricPrompt.**authenticate**(crypto, promptInfo) then it displays only fingerprint authentication option ONLY. For other preference option iris and face-detection, it does not display anything on authenticate(..) method call. (PFA: option C)

Question

Why other Biometric authentication is not prompting with crypto object authentication.

Arman answered 28/11, 2019 at 13:46 Comment(11)

The Android Compatibility Definition Document states that "To allow access to keystore keys to third-party applications, device implementations: [C-0-2] MUST meet the requirements for Strong as defined in this document". It then goes on to define what a Strong biometric sensor means. It's entirely possible that the iris and face scanners in the Galaxy S8 do not meet these requirements. – Verecund 29/11, 2019 at 9:11

Thanks @Verecund to point this out. I was checking with sample given here and this is working with iris at least. For face-detection it is throwing BIOMETRIC_ERROR_NONE_ENROLLED. Any suggestion around this confusion ! – Arman 29/11, 2019 at 9:35

@Verecund couple of question if you can help, Android promised to release Android-X update for all their on-device user authentication needs. Where I already can see that Samsung S-8 with update with OS-9 is already with this capability. 1) Does that mean Samsung did own SDK/framework level solutionign ? 2) How can verify if OEM device has support for C-0-2 or C-0-3 ? Any suggestion around this ? – Arman 29/11, 2019 at 11:15

I believe the androidX biometrics library has a list of devices for which it will fall back to using fingerprint if the device's other biometric sensors are considered weak. I don't know in which version of the library that check was added though. See android-review.googlesource.com/c/platform/frameworks/support/+/… – Verecund 29/11, 2019 at 11:43

yes, must be but maintaining a list is not a good idea. Though I still need to verify feature behaviour on other OEM device. – Arman 1/12, 2019 at 11:42

this must be some firmware level check that identify if given biometric option is strong enough to perform authentication for/using crypto object. If that fail then it redirect control to classic (FingerPrintManager or similar from Biometric API) implementation. @Verecund – Arman 2/12, 2019 at 5:52

Since Google are relying on a blacklist approach themselves, it doesn't seem like they have a better solution to the problem right now. But there shouldn't be any need for you to maintain a list of your own. The idea is that the API checks for you and automatically falls back to fingerprint if the preferred biometric isn't secure enough on that device. – Verecund 2/12, 2019 at 7:58

this is what I understood so far, but hard to convince user when he choose iris/face-detection as an preference option from setting but fall back to Fingerprint for your application. Any finding around to programmatically identify that if sensor strong enough to support crypto based authentication ? – Arman 2/12, 2019 at 9:25

None that I know of, aside from maintaining a blacklist of your own and keeping it updated whenever new devices are released. – Verecund 2/12, 2019 at 9:27

btw, while checking with multiple device found that samsung-10 and plus devices has removed iris as authentication option(Fingerprint and Face-detection available). Though iris still available for s8 devices. All these running on Android-9 (while google released with Android-10) which is another surprising factor. – Arman 2/12, 2019 at 9:28

"samsung-10 and plus devices has removed iris as authentication option" I believe that was mentioned here (see comment #7). – Verecund 2/12, 2019 at 9:31

D

2

Some devices only have one form factor, some have many form factors. Which form factor your app ends up using isn't really up to you; it's up to the OEM implementation. As explained in this blog post, whether a form factor is Strong or Weak doesn't depend on your code -- the OEM decides. However, you can request that a device uses Strong authentication for your app by specifying a CryptoObject when you call authenticate().

What you are experiencing is that the OEMs of your devices decided to make Fingerprint the default for Strong biometrics. Therefore, when you pass in a CryptoObject to authenticate() those devices show the user the UI for Fingerprint.

Diadromous answered 18/12, 2019 at 18:18 Comment(3)

Can face recognition be a strong biometric on certain devices or is it always considered weak? – Jacinda 5/1, 2020 at 9:6

So far it has considered as an week option but further it can be improved. – Arman 5/1, 2020 at 10:48

FYI (although quite late to the party) Face unlock is considered strong on some devices. The Pixel 4 for example is strong because it has the radar sensor and is not a purely optical match. – Iced 19/2, 2021 at 10:33

W

1

Face-Id is considered as WEAK authenticator. If you set .setAllowedAuthenticators(BIOMETRIC_WEAK or DEVICE_CREDENTIAL) in BiometricPrompt Info and performs any Key based crypto operations. It will throw

java.lang.IllegalArgumentException: Crypto-based authentication is not supported for Class 2 (Weak) biometrics.

For crypto-based authentication only allowed authenticators are BIOMETRIC_STRONG or DEVICE_CREDENTIAL

Refer table here: https://source.android.com/docs/security/features/biometric

Wieren answered 20/1, 2023 at 11:18 Comment(0)

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2024 — McMap. All rights reserved.