Android Key Store API 23, use setUserAuthenticationRequired without Fingerprint Scanner

Asked 3/3, 2017 at 15:14 Answered 23/10, 2018 at 17:3

android android-keystore android-security android-fingerprint-api

I've tried to generate a key pair using the Google sample (BasicAndroidKeyStore). The only modification I made is setting the setUserAuthenticationRequired(true) in the KeyGenParameterSpec.Builder.

I assume it would work fine on a device with the embedded Fingerprint scanner, but running it on OnePlus One (working under Android 6.0), I get the following exception:

At least one fingerprint must be enrolled to create keys requiring user authentication for every use

The phone does have the lock screen set to use the pattern, but apparently it requires fingerprint for the authentication. Any idea how to use API 23 keystore without having the actual Fingerprint reader?

Twit answered 3/3, 2017 at 15:14 Comment(0)

On modern Android devices, the fingerprint scanner is directly linked with the hardware security module.

As a result, there is now a meaningful way to provide isolated encryption that's protected - even on a rooted phone.

Check out these guidelines:

https://developer.android.com/training/articles/keystore#HardwareSecurityModule

An attacker would have to trick a user into swiping their fingerprint in order to unlock stuff... and that's only one decryption or signature per swipe.

This is "pretty good" security, but because of the API limitations and restrictions (notably the lack of ECDH!), most apps that claim to use Android's keychain system don't use the StrongBox. Even those that do won't warn the user when it's not available.

As a result, a jailbreak or zero day can compromise most app keys.

Please consider detecting enrollment, and warning your user that their data is more vulnerable on a device that does not have an enrolled hardware biometry device.

Bronder answered 23/10, 2018 at 17:3 Comment(0)

I have also faced same issue with moto devices. As for now i have done this code. To check before using Fingerprint authentication.

public boolean isFingerprintAuthAvailable() {
    //FingerprintManager mFingerprintManager;
    return mFingerprintManager.isHardwareDetected()
            && mFingerprintManager.hasEnrolledFingerprints();
}

For more check this sample from which i have implemented. Hope will help you...

Salomo answered 3/3, 2017 at 15:22 Comment(3)

is there any way to enforce some other type of authentication like pattern or password using the new API? It was possible using the deprecated API – Twit 3/3, 2017 at 15:24

correct me if I'm wrong, but the sample you've linked doesn't handle the key generation if the API is lower than 23 – Twit 3/3, 2017 at 15:40

No. its totally depend upon the developer. you can put 2-3 checks and then redirect user to add fingerprint if not. – Salomo 3/3, 2017 at 15:46

Recommended topics

Hot tags