Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Retrieving a users credentials (username & password) via a android keystore with fingerprint

Tags:

android

android-keystore

android-security

android-fingerprint-api

android-authenticator

I am building an android app where I need to authenticate the user via an username and password (on the backed) using the Fingerprint api.

Here's my understanding what I need to do in the simplest terms.

  1. On login after the user has entered a username and password and successfully authenticated with the backend, I generate and store a particular keystore with those credentials to the androidkeystore.

  2. On next login, if the user successfully authenticates via a fingerprint, retrieve the credentials (username and password) from the android keystore and authenticate the user on the backend with those credentials.

I have followed: http://www.techotopia.com/index.php/An_Android_Fingerprint_Authentication_Tutorial

This gives a good example of how to use the fingerprint API to authenticate the user with the device. But how do I get the credentials back, so that I can authenticate the user with the backend?

Are there any steps, suggestions, or detailed examples for what I want to do?

Thanks.

like image 753
FlashAsh80 Avatar asked Jul 11 '16 16:07

FlashAsh80

1 Answers

In your proposed solution the backend still receives a username+password every time the user logs in. This means your app has to store the user's username and password. It may be prudent to avoid that. For example, if the password is later changed, your app won't be able to log in. Also, unless you take special care, the username and password may get backed up and/or extracted over USB Debugging using adb backup.

An alternative solution is for the client to generate an Android Keystore key pair which requires user authentication (fingerprint auth) for every use of the private key. The backend then offers an operation for enrolling a public key for authenticating as the user's account. The enrollment operation takes a public key, username and password. If the username+password verify, the public key is enrolled for the account. The login operation is then expanded to support authenticating the client by having the client sign, using the corresponding private key, a challenge/nonce generated by the backend. If the signature verifies, the backend assumes that this is still the same client that enrolled the public key originally using the username + password.

like image 132
Alex Klyubin Avatar answered Dec 21 '22 20:12

Alex Klyubin
Sign in to Comment

Related questions

Send push notifications to Android
Apache Cordova allow-navigation overridden by allow-intent
using telegram tdlib in android projects
How to set background of collapsing toolbar with custom behavior to fit whole screen
Bottom Sheet doesn't appear sometimes in complicated view
ExpandableRecyclerAdapter How to force item to move up while expanding an item
How to do unit testing for retrofit2 callbacks?
Take the picture of what is inside the overlay bounds
Google maps api - Signature not valid
NullReferenceException on Xamarin Droid App startup
Android: Firebase taking too much time to fetch data
How to cast a mobile web page on Android?
Warning IDE0006 Error encountered while loading the project
Laravel RESTful API authentication for mobile app
FileNotFoundException open failed: ENOENT (No such file or directory)
Access NFC tag from a clock app in Android wear
Android - Fully transparent status bar with non transparent navigation bar
Detect programmatically if an Android device is able to do storage encryption
Android marshmallow listview scrolling gets blurry
Notification icon is greyed out

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!