Android Fingerprint API - A crash-course in fingerprint authentication

Transcript

1. Android Fingerprint API A crash course in fingerprint authentication Marvin

   Ramin

2. What is the Fingerprint API?

3. None
4. None

5. Nougat 11,5 % Marshmallow 31,8 % Lollipop 30,1 % KitKat

   17,1 % Jelly Bean 8,1 % Data from July 6, 2017

6. Nougat 11,5 % Marshmallow 31,8 % Lollipop 30,1 % KitKat

   17,1 % Jelly Bean 8,1 % Data from July 6, 2017 43%!
7. None

8. Nougat 11,5 % Marshmallow 31,8 % Lollipop 30,1 % KitKat

   17,1 % Jelly Bean 8,1 % Data from July 6, 2017 <43%
9. None

10. Nougat 11,5 % Marshmallow 31,8 % Lollipop 30,1 % KitKat

    17,1 % Jelly Bean 8,1 % Data from July 6, 2017 <<43%

11. “Why should we use Fingerprint authentication?”

12. None

13. Passwords Entering a password with a tiny keyboard Forgot password

    Your users just want to authenticate themselves

14. “Does my app qualify?”

15. Does your app use a… PIN? Password? Codeword? Secret handshake?

16. Requirements Android Marshmallow or above (targetSdk 23+) USE_FINGERPRINT permission in

    AndroidManifest.xml Fingerprint reader Fingerprint unlock setup Device specifies FEATURE_FINGERPRINT

17. Things the Fingerprint API can’t do Give you an image

    of the fingerprint Run in the background (*) (tell you which finger was detected)

18. Fingerprint API classes FingerprintManager CancellationSignal AuthenticationCallback

19. FingerprintManager

20. FingerprintManagerCompat Does nothing below API 23 
 return FingerprintManagerCompat.from(context) 


    Only works correctly on devices with FEATURE_FINGERPRINT

21. FingerprintManagerCompat #authenticate #isHardwareDetected #hasEnrolledFingerprints

22. #authenticate(…) CryptoObject CancellationSignal flags AuthenticationCallback Handler CryptoObject CancellationSignal flags AuthenticationCallback

    Handler

23. CancellationSignal #cancel

24. AuthenticationCallback #onAuthentication… Help Failed Error Succeeded

25. #onAuthenticationHelp Recoverable Error e.g. “Finger moved too fast”/“Sensor dirty” Error

    ID & helpful error message provided

26. #onAuthenticationFailed Fingerprint was detected Fingerprint is NOT authorized

27. #onAuthenticationError Unrecoverable Error Fingerprint operation will be cancelled Too many

    unsuccessful tries Fingerprint sensor “locked down” Operation cancelled

28. #onAuthenticationSucceeded

29. A short detour into the land of UI

30. Use this icon in your UI

31. UX Let the user choose to use Fingerprint Provide a

    fallback Show the correct success and error states Show the help messages
32. None
33. None
34. None

35. Storing sensitive information Doing crypto with fingerprints

36. CryptoObject Wraps Java crypto classes Backed by Android KeyStore Keys

    can be restricted to biometric authentication setUserAuthenticationRequired

37. #authenticate(…) CryptoObject CancellationSignal flags AuthenticationCallback Handler

38. Access to CryptoObject #onAuthenticationSuccess

39. CryptoObject Signature MAC Cipher

40. CryptoObject crash-course Create Cipher Create Key cipher.init(Cipher.ENCRYPT_MODE, key) return CryptoObject(cipher)

41. CryptoObject crash-course Call FingerprintManager#authenticate(…) with CryptoObject #onAuthenticationSuccess val cipher: Cipher

    = authenticationResult.cryptoObject.cipher val encrypted: ByteArray = cipher.doFinal("1234".toByteArray())

42. Key generation and invalidation val builder = KeyGenParameterSpec.Builder(KEY_NAME, PURPOSE) .setKeySize(...)

    .setBlockModes(...) .setEncryptionPaddings(...) .setUserAuthenticationRequired(true) .setUserAuthenticationValidWhileOnBody(false) .setUserAuthenticationValidityDurationSeconds(60) .setInvalidatedByBiometricEnrollment(true) Changing the lockscreen can invalidate all fingerprint backed keys! CryptoObject will throw KeyPermanentlyInvalidatedException

43. O! New stuff FingerprintGestureController AccessibilityService Detect Gestures on the Fingerprint

    sensor Scrolling Custom Actions

44. Security Considerations It’s a fingerprint - not necessarily your user

    Passwords might be stronger Fingerprints can’t change But fingerprint sensors are convenient…

45. Samples developer.android.com Material.io: Patterns - Fingerprint GitHub: Google Fingerprint Dialog

    Sample GitHub: mattprecious/swirl GitHub: RxFingerprint GitHub: square/whorlwind

46. Thank you! github.com/Mauin twitter.com/@Mauin