Jonathan Jonathan - 1 month ago 12
Android Question

Limit Android to use one single fingerprint for authentication

I'm implementing fingerprint authentication in an existing Android application making use of FingerprintManagerCompat. I used a tutorial as guidance that can be found here.


(android.support.v4.content.ContextCompat)


As FingerprintManagerCompat makes use of saved fingerprints on the mobile device, any fingerprint on the device can be used to login to the application.

Is it possible to see which one of the fingerprints on the device were used to unlock and if so is there a method to get all saved fingerprints that are available on the device?

I looked around for information on if this is possible and I cant seem to find anything. I have found that Samsung Pass SDK does have functionality to see what fingerprint is used but the product owner does not want the me to use Samsung's Pass SDK as his penetration testing team found that it is not very secure.

Answer

Is there a method to get all saved fingerprints that are available on the device?

No.

Is it possible to see which one of the fingerprints on the device were used to unlock

No.
However, there are some limitations to which fingerprints can be used to authenticate within your app. The result of a fingerprint authentication is that you make a cryptographic key available to perform some cryptographic operation (e.g. creating a digital signature). So when you add a user in your app you'd typically create a cryptographic key that you associate with that user.
Then later on when the user wants to perform some action that requires him/her to be authenticated, you do the fingerprint authentication, which gives you access to the key, which use can use to do whatever it is that you need to do to verify that the user should be allowed to perform the action.

What happens when a new fingerprint is enrolled is that any existing cryptographic keys that require fingerprint authentication will be permanently invalidated.
That leaves us with the scenario where there are multiple enrolled fingerprint before the user is added in your app. I'm not aware of any way to do anything about this with the current APIs. So the best you can do might be to add some step in your fingerprint-enabling UI flow where the user is aked to verify that only they have enrolled a fingerprint on the device (e.g. by checking a checkbox or clicking a button).

Comments