I am building an android app where I need to authenticate the user via an username and password (on the backed) using the Fingerprint api.

Here's my understanding what I need to do in the simplest terms.

1. On login after the user has entered a username and password and successfully authenticated with the backend, I generate and store a particular keystore with those credentials to the androidkeystore.

2. On next login, if the user successfully authenticates via a fingerprint, retrieve the credentials (username and password) from the android keystore and authenticate the user on the backend with those credentials.

I have followed: http://www.techotopia.com/index.php/An_Android_Fingerprint_Authentication_Tutorial

This gives a good example of how to use the fingerprint API to authenticate the user with the device. But how do I get the credentials back, so that I can authenticate the user with the backend?

Are there any steps, suggestions, or detailed examples for what I want to do?

Thanks.

In your proposed solution the backend still receives a username+password every time the user logs in. This means your app has to store the user's username and password. It may be prudent to avoid that. For example, if the password is later changed, your app won't be able to log in. Also, unless you take special care, the username and password may get backed up and/or extracted over USB Debugging using adb backup.

An alternative solution is for the client to generate an Android Keystore key pair which requires user authentication (fingerprint auth) for every use of the private key. The backend then offers an operation for enrolling a public key for authenticating as the user's account. The enrollment operation takes a public key, username and password. If the username+password verify, the public key is enrolled for the account. The login operation is then expanded to support authenticating the client by having the client sign, using the corresponding private key, a challenge/nonce generated by the backend. If the signature verifies, the backend assumes that this is still the same client that enrolled the public key originally using the username + password.