Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Why crypto object is needed for Android fingerprint authentication?

Tags:

I have gone through the android finger print sample provided by Google.

https://github.com/googlesamples/android-FingerprintDialog

As I am new to security standards, I am unable to understand the following.

  1. Why we need to use Keystore, key, CryptoObject... etc? Simply It could be like, ask fingerprint manager to authenticate the user and it can simply return the status(success/failed)
  2. Do I need to generate new key every time on each authentication?
like image 834
Ponsuyambu Avatar asked Sep 13 '16 12:09

Ponsuyambu


People also ask

What is crypto object in Android?

android.hardware.biometrics.BiometricPrompt.CryptoObject. A wrapper class for the cryptographic operations supported by BiometricPrompt. Currently the framework supports Signature , Cipher , Mac , IdentityCredential , and PresentationSession .

What is biometric authentication in cryptography?

Biometric authentication is a security process that relies on the unique biological characteristics of individuals to verify they are who they say they are. Biometric authentication systems compare physical or behavioral traits to stored, confirmed, authentic data in a database.

How does biometric authentication work in mobile app?

The biometric authentication feature allows your mobile app (iOS, Android) users to log in to their device either using their Fingerprint or Face ID. This feature allows the end-users to quickly access their app using their fingerprint and it is considered as the most secure way of login.


2 Answers

Why we need to use Keystore, key, CryptoObject... etc? Simply It could be like, ask finger print manager to authenticate the user and it can simply return the status(success/failed)

You don't have to. You can make fingerprint authentication without a CryptoObject, just pass a null value. Then won't have to mess with keystore and other stuff.

The only use of a CryptoObject in a Fingerprint Authentication context is to know if a new fingerprint was added since last time the user authenticated via fingerprint.

Do I need to generate new key every time on each authentication?

If a new fingerprint is added, you will have to prompt a password to verify the user's identity and then generate new keys (because they became invalid when the new fingerprint was added).

Again you won't have to mess with these if you pass a null CryptoObject

A matter of point of view

Fingerprint authentication doesn't require a CryptoObject, in fact it's quite the opposite.

When you make cryptographic operations on Android, you can use one of these objects : Cipher, Signature, Mac (and others). One of these three can be used to build a CryptoObject.

When you generate keys for these objects, there is a method nammed setUserAuthenticationRequired(boolean) which manages to get the keys valids only if the user has authenticated via fingerprint before.

Thus, in case of a client/server communication for instance, if the client can use the keys, it means he authenticated via fingerprint and his identity is known.

That said, you might want to check my library which makes the whole thing a lot easier :

https://github.com/OmarAflak/Fingerprint

like image 71
Omar Aflak Avatar answered Oct 05 '22 13:10

Omar Aflak


Why we need to use Keystore, key, CryptoObject... etc? Simply It could >be like, ask finger print manager to authenticate the user and it can >simply return the status(success/failed)

I thought the same thing when I first read about fingerprint for android. Through my research, I think I can summarize the CryptoObject for you in plain english, which is what you are looking for because technical descriptions does not help with understanding concepts:

The CryptoObject is created by a key in your android keystore, which is inherently considered "secure"[1]. So passing in a CryptoObject to the fingerprint manager lets the manager have an anchor that confirms the the finger print auth results were not tampered with, which is theoretically possible [2].

Think of it this way, if you pass in null, the fingerprint manager blindly trusts the results from a finger print match result. if you pass in a crypto object, which is created by a key that only your application can access because of keystore, then the results coming back will probably have this cryptoObject which only your app can successfully identify. Here is another quote that makes more common sense.

"The CryptoObject makes the process more secure because if that object is not backed by the KeyStore, it’s always going to fail." [3]

The picture in [4] link also gives you an idea.

[1] https://developer.android.com/training/articles/keystore

[2] https://docs.microsoft.com/en-us/xamarin/android/platform/fingerprint-authentication/creating-a-cryptoobject

[3]https://medium.com/@manuelvicnt/android-fingerprint-authentication-f8c7c76c50f8

[4]https://infinum.co/the-capsized-eight/android-fingerprint-security

like image 24
Bqin1 Avatar answered Oct 05 '22 13:10

Bqin1