Cordova fingerprint authentication on server

Question

I am trying to create a authentication mechanism in my (cordova) app for android that will allow my users to sign in using a password and username, or allow them to scan their finger in order to sign in.

How can one verify a fingerprint registered on a client, server side? is this even possible at all using Cordova ? I tried transmitting the result of a finger scan to my server: this looked like:

FingerprintAuth.isAvailable(function(result) {
  if (result.isAvailable) {
    if(result.hasEnrolledFingerprints){
      FingerprintAuth.show({
        clientId: client_id,
        clientSecret: client_secret
      }, function (result) {
        alert(JSON.stringify(result));

        $http.post('http://192.168.149.33:3000/authorize', result).then(
          function(response) {}
        );

        if (result.withFingerprint) {
          $scope.$parent.loggedIn = true;
          alert("Successfully authenticated using a fingerprint");
          $location.path( "/home" );
        } else if (result.withPassword) {
          alert("Authenticated with backup password");
        }
      }, function(error) {
        console.log(error); // "Fingerprint authentication not available"
      });
    } else {
      alert("Fingerprint auth available, but no fingerprint registered on the device");
    }
  }
}, function(message) {
  alert("Cannot detect fingerprint device : "+ message);
});

Server side i am receiving the following data (3 seperate scans):

{ withFingerprint: 't8haYq36fmBPUEPbVjiWOaBLjMPBeUNP/BTOkoVtZ2ZiX20eBVzZAs3dn6PW/R4E\n' }
{ withFingerprint: 'rA9H+MIoQR3au9pqgLAi/EOCRA9b0Wx1AvzC/taGIUc8cCeDfzfiDZkxNy5U4joB\n' }
{ withFingerprint: 'MMyJm46O8MTxsa9aofKUS9fZW3OZVG7ojD+XspO71LWVy4TZh2FtvPtfjJFnj7Sy\n' }

The patterns seems to vary every time, is there a way one can link the finger print to for example a pattern saved under a user on a database ?

Answer 1

Short answer

The strings returned by this API are not "fingerprint patterns". So you won't be able to authenticate the way you're thinking...

Long answer

Let's start by looking at the source code of the API it looks like you're using.

Looking at this file we see these methods:

public static void onAuthenticated(boolean withFingerprint) {
    JSONObject resultJson = new JSONObject();
    String errorMessage = "";
    boolean createdResultJson = false;
    try {

        if (withFingerprint) {
            // If the user has authenticated with fingerprint, verify that using cryptography and
            // then return the encrypted token
            byte[] encrypted = tryEncrypt();
            resultJson.put("withFingerprint", Base64.encodeToString(encrypted, 0 /* flags */));
        } else {
            // Authentication happened with backup password.
            resultJson.put("withPassword", true);

            // if failed to init cipher because of InvalidKeyException, create new key
            if (!initCipher()) {
                createKey();
            }
        }
        createdResultJson = true;

// ...

/**
 * Tries to encrypt some data with the generated key in {@link #createKey} which is
 * only works if the user has just authenticated via fingerprint.
 */
private static byte[] tryEncrypt() throws BadPaddingException, IllegalBlockSizeException {
    return mCipher.doFinal(mClientSecret.getBytes());
}

Look at what's being put to "withFingerprint". It's a Base64 encoding of the encrypted client secret. Technically, this is your authentication. You would use this token to authenticate requests and your server would decrypt and validate the client secret.

Summary

Fingerprinting adds a level of security, but it is not the only means of security. A relationship needs to be established with the device and server beforehand.

I found this diagram to be helpful in understanding the intent of android's fingerprint authentication (ref: http://android-developers.blogspot.com/2015/10/new-in-android-samples-authenticating.html)

Answer 2

You can't authenticate fingerprint on the server, fingerprints are stored or authenticated using Live Scan/Biometric template. Authentication is done by comparing the current scan template with previously stored templates

First of all you don't have access to these stored templates(Not provided by the OS providers/Phone Manufacturers) and If we assume that you have access to those templates, then an efficient algorithm (Image based /Pattern based ) is required to compare the current template with previously stored templates. You can't simply authenticate it by string comparison.