Android Fingerprint API
A crash course in fingerprint authentication
Marvin Ramin
Slide 2
Slide 2 text
What is the Fingerprint API?
Slide 3
Slide 3 text
No content
Slide 4
Slide 4 text
No content
Slide 5
Slide 5 text
Nougat
11,5 %
Marshmallow
31,8 %
Lollipop
30,1 %
KitKat
17,1 %
Jelly Bean
8,1 %
Data from July 6, 2017
Slide 6
Slide 6 text
Nougat
11,5 %
Marshmallow
31,8 %
Lollipop
30,1 %
KitKat
17,1 %
Jelly Bean
8,1 %
Data from July 6, 2017
43%!
Slide 7
Slide 7 text
No content
Slide 8
Slide 8 text
Nougat
11,5 %
Marshmallow
31,8 %
Lollipop
30,1 %
KitKat
17,1 %
Jelly Bean
8,1 %
Data from July 6, 2017
<43%
Slide 9
Slide 9 text
No content
Slide 10
Slide 10 text
Nougat
11,5 %
Marshmallow
31,8 %
Lollipop
30,1 %
KitKat
17,1 %
Jelly Bean
8,1 %
Data from July 6, 2017
<<43%
Slide 11
Slide 11 text
“Why should we use Fingerprint
authentication?”
Slide 12
Slide 12 text
No content
Slide 13
Slide 13 text
Passwords
Entering a password with a tiny keyboard
Forgot password
Your users just want to authenticate themselves
Slide 14
Slide 14 text
“Does my app qualify?”
Slide 15
Slide 15 text
Does your app use a…
PIN?
Password?
Codeword?
Secret handshake?
Slide 16
Slide 16 text
Requirements
Android Marshmallow or above (targetSdk 23+)
USE_FINGERPRINT permission in AndroidManifest.xml
Fingerprint reader
Fingerprint unlock setup
Device specifies FEATURE_FINGERPRINT
Slide 17
Slide 17 text
Things the Fingerprint API can’t do
Give you an image of the fingerprint
Run in the background (*)
(tell you which finger was detected)
Slide 18
Slide 18 text
Fingerprint API classes
FingerprintManager
CancellationSignal
AuthenticationCallback
Slide 19
Slide 19 text
FingerprintManager
Slide 20
Slide 20 text
FingerprintManagerCompat
Does nothing below API 23
return FingerprintManagerCompat.from(context)
Only works correctly on devices with FEATURE_FINGERPRINT
AuthenticationCallback
#onAuthentication…
Help
Failed
Error
Succeeded
Slide 25
Slide 25 text
#onAuthenticationHelp
Recoverable Error
e.g. “Finger moved too fast”/“Sensor dirty”
Error ID & helpful error message provided
Slide 26
Slide 26 text
#onAuthenticationFailed
Fingerprint was detected
Fingerprint is NOT authorized
Slide 27
Slide 27 text
#onAuthenticationError
Unrecoverable Error
Fingerprint operation will be cancelled
Too many unsuccessful tries
Fingerprint sensor “locked down”
Operation cancelled
Slide 28
Slide 28 text
#onAuthenticationSucceeded
Slide 29
Slide 29 text
A short detour into the land of UI
Slide 30
Slide 30 text
Use this icon in your UI
Slide 31
Slide 31 text
UX
Let the user choose to use Fingerprint
Provide a fallback
Show the correct success and error states
Show the help messages
Slide 32
Slide 32 text
No content
Slide 33
Slide 33 text
No content
Slide 34
Slide 34 text
No content
Slide 35
Slide 35 text
Storing sensitive information
Doing crypto with fingerprints
Slide 36
Slide 36 text
CryptoObject
Wraps Java crypto classes
Backed by Android KeyStore
Keys can be restricted to biometric authentication
setUserAuthenticationRequired
CryptoObject crash-course
Call FingerprintManager#authenticate(…) with CryptoObject
#onAuthenticationSuccess
val cipher: Cipher = authenticationResult.cryptoObject.cipher
val encrypted: ByteArray = cipher.doFinal("1234".toByteArray())
Slide 42
Slide 42 text
Key generation and invalidation
val builder = KeyGenParameterSpec.Builder(KEY_NAME, PURPOSE)
.setKeySize(...)
.setBlockModes(...)
.setEncryptionPaddings(...)
.setUserAuthenticationRequired(true)
.setUserAuthenticationValidWhileOnBody(false)
.setUserAuthenticationValidityDurationSeconds(60)
.setInvalidatedByBiometricEnrollment(true)
Changing the lockscreen can invalidate all fingerprint backed keys!
CryptoObject will throw KeyPermanentlyInvalidatedException
Slide 43
Slide 43 text
O! New stuff
FingerprintGestureController
AccessibilityService
Detect Gestures on the Fingerprint sensor
Scrolling
Custom Actions
Slide 44
Slide 44 text
Security Considerations
It’s a fingerprint - not necessarily your user
Passwords might be stronger
Fingerprints can’t change
But fingerprint sensors are convenient…