I have gone through the android finger print sample provided by Google.
https://github.com/googlesamples/android-FingerprintDialog
As I am new to security standards, I am unable to understand the following.
android.hardware.biometrics.BiometricPrompt.CryptoObject. A wrapper class for the cryptographic operations supported by BiometricPrompt. Currently the framework supports Signature , Cipher , Mac , IdentityCredential , and PresentationSession .
Biometric authentication is a security process that relies on the unique biological characteristics of individuals to verify they are who they say they are. Biometric authentication systems compare physical or behavioral traits to stored, confirmed, authentic data in a database.
The biometric authentication feature allows your mobile app (iOS, Android) users to log in to their device either using their Fingerprint or Face ID. This feature allows the end-users to quickly access their app using their fingerprint and it is considered as the most secure way of login.
Why we need to use Keystore, key, CryptoObject... etc? Simply It could be like, ask finger print manager to authenticate the user and it can simply return the status(success/failed)
You don't have to. You can make fingerprint authentication without a CryptoObject
, just pass a null
value. Then won't have to mess with keystore and other stuff.
The only use of a CryptoObject
in a Fingerprint Authentication context is to know if a new fingerprint was added since last time the user authenticated via fingerprint.
Do I need to generate new key every time on each authentication?
If a new fingerprint is added, you will have to prompt a password to verify the user's identity and then generate new keys (because they became invalid when the new fingerprint was added).
Again you won't have to mess with these if you pass a null
CryptoObject
Fingerprint authentication doesn't require a CryptoObject, in fact it's quite the opposite.
When you make cryptographic operations on Android, you can use one of these objects : Cipher, Signature, Mac (and others). One of these three can be used to build a CryptoObject.
When you generate keys for these objects, there is a method nammed setUserAuthenticationRequired(boolean)
which manages to get the keys valids only if the user has authenticated via fingerprint before.
Thus, in case of a client/server communication for instance, if the client can use the keys, it means he authenticated via fingerprint and his identity is known.
That said, you might want to check my library which makes the whole thing a lot easier :
https://github.com/OmarAflak/Fingerprint
Why we need to use Keystore, key, CryptoObject... etc? Simply It could >be like, ask finger print manager to authenticate the user and it can >simply return the status(success/failed)
I thought the same thing when I first read about fingerprint for android. Through my research, I think I can summarize the CryptoObject for you in plain english, which is what you are looking for because technical descriptions does not help with understanding concepts:
The CryptoObject is created by a key in your android keystore, which is inherently considered "secure"[1]. So passing in a CryptoObject to the fingerprint manager lets the manager have an anchor that confirms the the finger print auth results were not tampered with, which is theoretically possible [2].
Think of it this way, if you pass in null, the fingerprint manager blindly trusts the results from a finger print match result. if you pass in a crypto object, which is created by a key that only your application can access because of keystore, then the results coming back will probably have this cryptoObject which only your app can successfully identify. Here is another quote that makes more common sense.
"The CryptoObject makes the process more secure because if that object is not backed by the KeyStore, it’s always going to fail." [3]
The picture in [4] link also gives you an idea.
[1] https://developer.android.com/training/articles/keystore
[2] https://docs.microsoft.com/en-us/xamarin/android/platform/fingerprint-authentication/creating-a-cryptoobject
[3]https://medium.com/@manuelvicnt/android-fingerprint-authentication-f8c7c76c50f8
[4]https://infinum.co/the-capsized-eight/android-fingerprint-security
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With