Android - Is biometric information tied to a specific user on a device, or the device in general?

Question

I want to enable a user to log in to my app using their biometric information. However, I'm aware that there is multi-user functionality for Android devices, where you can register multiple users on a single device.

I don't want a different user on the same device to be able to log in to my app just because they have a fingerprint registered on the device. So my question is: is a fingerprint (or any biometric info) associated with the device in general and it doesn't matter which user is currently active OR is the biometric information associated with a specific user on the device?

I have checked the documentation, but I can't find anything that is clear on this point.

Answer 1

Biometric information is tied to the current user and so will not be recognized on another user session. You can test this on an emulator.

With the Biometric API, you will encrypt a token or credentials using a cipher and a secret key, persist the encrypted data to the shared preferences on private mode, and then be able to decrypt this data by checking the biometric information of the current user.

And because apps on a multi-user device don't share the same shared prefs, each user will have access to their own token/credentials and will be able to log in their own account but not the account of another user.