Save 37% off PRO during our Black Friday Sale! »

Android Fingerprint API - A crash-course in fingerprint authentication

1fe615e0a1add5e0c9ce6ac1279c0458?s=47 Mauin
July 26, 2017

Android Fingerprint API - A crash-course in fingerprint authentication

This talk covers the basics of the Android Fingerprint API and how to use it to authenticate your users in a secure manner. Learn how to build an authentication flow with the fingerprint API, how to build the UI and why you should consider using the fingerprint API in the first place.
This talk also covers how to encrypt and decrypt secrets using the users fingerprint to keep their data safe and secure.

1fe615e0a1add5e0c9ce6ac1279c0458?s=128

Mauin

July 26, 2017
Tweet

Transcript

  1. Android Fingerprint API A crash course in fingerprint authentication Marvin

    Ramin
  2. What is the Fingerprint API?

  3. None
  4. None
  5. Nougat 11,5 % Marshmallow 31,8 % Lollipop 30,1 % KitKat

    17,1 % Jelly Bean 8,1 % Data from July 6, 2017
  6. Nougat 11,5 % Marshmallow 31,8 % Lollipop 30,1 % KitKat

    17,1 % Jelly Bean 8,1 % Data from July 6, 2017 43%!
  7. None
  8. Nougat 11,5 % Marshmallow 31,8 % Lollipop 30,1 % KitKat

    17,1 % Jelly Bean 8,1 % Data from July 6, 2017 <43%
  9. None
  10. Nougat 11,5 % Marshmallow 31,8 % Lollipop 30,1 % KitKat

    17,1 % Jelly Bean 8,1 % Data from July 6, 2017 <<43%
  11. “Why should we use Fingerprint authentication?”

  12. None
  13. Passwords Entering a password with a tiny keyboard Forgot password

    Your users just want to authenticate themselves
  14. “Does my app qualify?”

  15. Does your app use a… PIN? Password? Codeword? Secret handshake?

  16. Requirements Android Marshmallow or above (targetSdk 23+) USE_FINGERPRINT permission in

    AndroidManifest.xml Fingerprint reader Fingerprint unlock setup Device specifies FEATURE_FINGERPRINT
  17. Things the Fingerprint API can’t do Give you an image

    of the fingerprint Run in the background (*) (tell you which finger was detected)
  18. Fingerprint API classes FingerprintManager CancellationSignal AuthenticationCallback

  19. FingerprintManager

  20. FingerprintManagerCompat Does nothing below API 23 
 return FingerprintManagerCompat.from(context) 


    Only works correctly on devices with FEATURE_FINGERPRINT
  21. FingerprintManagerCompat #authenticate #isHardwareDetected #hasEnrolledFingerprints

  22. #authenticate(…) CryptoObject CancellationSignal flags AuthenticationCallback Handler CryptoObject CancellationSignal flags AuthenticationCallback

    Handler
  23. CancellationSignal #cancel

  24. AuthenticationCallback #onAuthentication… Help Failed Error Succeeded

  25. #onAuthenticationHelp Recoverable Error e.g. “Finger moved too fast”/“Sensor dirty” Error

    ID & helpful error message provided
  26. #onAuthenticationFailed Fingerprint was detected Fingerprint is NOT authorized

  27. #onAuthenticationError Unrecoverable Error Fingerprint operation will be cancelled Too many

    unsuccessful tries Fingerprint sensor “locked down” Operation cancelled
  28. #onAuthenticationSucceeded

  29. A short detour into the land of UI

  30. Use this icon in your UI

  31. UX Let the user choose to use Fingerprint Provide a

    fallback Show the correct success and error states Show the help messages
  32. None
  33. None
  34. None
  35. Storing sensitive information Doing crypto with fingerprints

  36. CryptoObject Wraps Java crypto classes Backed by Android KeyStore Keys

    can be restricted to biometric authentication setUserAuthenticationRequired
  37. #authenticate(…) CryptoObject CancellationSignal flags AuthenticationCallback Handler

  38. Access to CryptoObject #onAuthenticationSuccess

  39. CryptoObject Signature MAC Cipher

  40. CryptoObject crash-course Create Cipher Create Key cipher.init(Cipher.ENCRYPT_MODE, key) return CryptoObject(cipher)

  41. CryptoObject crash-course Call FingerprintManager#authenticate(…) with CryptoObject #onAuthenticationSuccess val cipher: Cipher

    = authenticationResult.cryptoObject.cipher val encrypted: ByteArray = cipher.doFinal("1234".toByteArray())
  42. Key generation and invalidation val builder = KeyGenParameterSpec.Builder(KEY_NAME, PURPOSE) .setKeySize(...)

    .setBlockModes(...) .setEncryptionPaddings(...) .setUserAuthenticationRequired(true) .setUserAuthenticationValidWhileOnBody(false) .setUserAuthenticationValidityDurationSeconds(60) .setInvalidatedByBiometricEnrollment(true) Changing the lockscreen can invalidate all fingerprint backed keys! CryptoObject will throw KeyPermanentlyInvalidatedException
  43. O! New stuff FingerprintGestureController AccessibilityService Detect Gestures on the Fingerprint

    sensor Scrolling Custom Actions
  44. Security Considerations It’s a fingerprint - not necessarily your user

    Passwords might be stronger Fingerprints can’t change But fingerprint sensors are convenient…
  45. Samples developer.android.com Material.io: Patterns - Fingerprint GitHub: Google Fingerprint Dialog

    Sample GitHub: mattprecious/swirl GitHub: RxFingerprint GitHub: square/whorlwind
  46. Thank you! github.com/Mauin twitter.com/@Mauin