KeyGeneration using AndroidX.Biometric fails if only face as biometric is installed

About

Asked 9/5, 2020 at 14:23 Answered 29/11, 2020 at 12:58

Solved android android-keystore biometrics android-biometric-prompt keystore-access

we are currently trying to sign data with biometrics, which we use the androidx.biometric library for.

The Problem is, if no Fingerprint ist installed but a face registered we cannot generate any keys.

With Fingerprint only or with the combination of fingerprint and face everything works perfect.

With only the face registered we get the following exception during key generation:

Caused by: java.security.InvalidAlgorithmParameterException: java.lang.IllegalStateException: At least one biometric must be enrolled to create keys requiring user authentication for every use

Before we start the key generation we test the presence of biometric as following:

boolean isAvailable = biometricManager.canAuthenticate() == BiometricManager.BIOMETRIC_SUCCESS;

The Test-Device as a Samsung Galaxy S10 with Android 10.

Thank you for help and best regards

Succumb answered 9/5, 2020 at 14:23 Comment(7)

IIRC, the face recognition on the Galaxy S10 and some other devices is considered "weak" (as defined by the Android Compatibility Definition Document). So if you're trying to use BiometricPrompt with a CryptoObject on those devices, it will always fall back to using fingerprint instead, at least prior to Android R. If you don't have any fingerprints enrolled then there won't be anything to fall back to, and I guess that's why you're getting that error. Why canAuthenticate doesn't consider this when reporting its result I don't know. – Janettejaneva 12/5, 2020 at 13:31

The issue that is mentioned by @Janettejaneva can be found here: issuetracker.google.com/issues/147374428 – Cashmere 24/7, 2020 at 16:28

@Succumb did you manage to handle this issue? – Unshackle 3/8, 2020 at 14:38

Sadly no, we now to not offer face auth on the galaxy s10 – Succumb 23/9, 2020 at 6:25

I have an idea of a workaround. I haven't tested it yet, since I don't have a device with face recognition at hand. But I think it will work. The point is to try to generate a key using the CryptoObject and wrap the whole thing in try-catch. Use this in addition to the canAuthenticate method. If we get an exception, then we consider that isAvailable == false. – Sent 8/10, 2020 at 5:27

Sound like it might work, I have one available (Galaxy S10) and will try your workaround – Succumb 9/10, 2020 at 6:31

Any resolution for this issue? – Thrilling 29/10, 2020 at 19:14

Google has updated androidx biometric sdk. If you are going to use strong type authentication in your application.Authentication can be checked for the strong type. If your device is suitable for this, you can create a cryptoObject.

https://developer.android.com/jetpack/androidx/releases/biometric#1.1.0-alpha02

https://developer.android.com/reference/android/hardware/biometrics/BiometricManager#canAuthenticate(int)

val canAuthenticate = BiometricManager.from (context)
.canAuthenticate (BiometricManager.Authenticators.BIOMETRIC_STRONG)

After this check, you can proceed to key generation.

Inhumanity answered 29/11, 2020 at 12:58 Comment(1)

This returns true in my case but I still get the OP's crash when trying to initialize the KeyPairGenerator, on a Pixel 3 XL API 29 emulator. – Cankerous 29/9, 2022 at 11:14

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags