Using biometrics on Android

Friday, 09/10/2020

Tram Ho

One of the methods of protecting sensitive information or private content in your apps is to require biometric authentication, such as using facial recognition or fingerprint recognition. This tutorial explains how to support biometric login flow in your application.

Declare the types of authentication that the app you support

To determine the types of authen your application supports, use the BiometricManager.Authenticators interface. The system allows you to declare the following types of authentication:

BIOMETRIC_STRONG

Authenticate using hardware meets the strength level as defined on the compatibility definition page .

BIOMETRIC_WEAK

Authenticate using hardware that meets the weak level as defined on the compatibility definition page .

DEVICE_CREDENTIAL

Authenticate using screen lock credentials – the user’s PIN, pattern, or password.

To register for the authenticator, users need to create a PIN, pattern or password. If the user hasn’t already, the biometric registration process prompts them to create these.

To determine the types of biometric authentication your application uses, pass an authentication type or a bitwise combination of the types into the setAllowedAuthenticators () method . The following code snippet shows how to support authentication using a “strong” hardware element or a screen lock proof of authentication.

<span class="token comment">// Allows user to authenticate using either a "strong" hardware element or</span>
<span class="token comment">// their lock screen credential (PIN, pattern, or password).</span>
promptInfo <span class="token operator">=</span> BiometricPrompt <span class="token punctuation">.</span> PromptInfo <span class="token punctuation">.</span> <span class="token function">Builder</span> <span class="token punctuation">(</span> <span class="token punctuation">)</span>
        <span class="token punctuation">.</span> <span class="token function">setTitle</span> <span class="token punctuation">(</span> <span class="token string">"Biometric login for my app"</span> <span class="token punctuation">)</span>
        <span class="token punctuation">.</span> <span class="token function">setSubtitle</span> <span class="token punctuation">(</span> <span class="token string">"Log in using your biometric credential"</span> <span class="token punctuation">)</span>
        <span class="token comment">// Can't call setNegativeButtonText() and</span>
        <span class="token comment">// setAllowedAuthenticators(... or DEVICE_CREDENTIAL) at the same time.</span>
        <span class="token comment">// .setNegativeButtonText("Use account password")</span>
        <span class="token punctuation">.</span> <span class="token function">setAllowedAuthenticators</span> <span class="token punctuation">(</span> BIOMETRIC_STRONG <span class="token operator">or</span> DEVICE_CREDENTIAL <span class="token punctuation">)</span>
        <span class="token punctuation">.</span> <span class="token function">build</span> <span class="token punctuation">(</span> <span class="token punctuation">)</span>

// Allows user to authenticate using either a "strong" hardware element or

// their lock screen credential (PIN, pattern, or password).

promptInfo = BiometricPrompt . PromptInfo . Builder ( )

. setTitle ( "Biometric login for my app" )

. setSubtitle ( "Log in using your biometric credential" )

// Can't call setNegativeButtonText() and

// setAllowedAuthenticators(... or DEVICE_CREDENTIAL) at the same time.

// .setNegativeButtonText("Use account password")

. setAllowedAuthenticators ( BIOMETRIC_STRONG or DEVICE_CREDENTIAL )

. build ( )

Check if biometric validation is possible

After you decide on the authentication factors your app supports, check to see if they are available. To do so, pass the same bitwise association that you declared earlier to the canAuthenticate () method . If necessary, call intent action ACTION_BIOMETRIC_ENROLL . In the intent extra, provide the set of validators that your application accepts. This intent prompts users to register credentials for the validators your application accepts.

<span class="token keyword">val</span> biometricManager <span class="token operator">=</span> BiometricManager <span class="token punctuation">.</span> <span class="token function">from</span> <span class="token punctuation">(</span> <span class="token keyword">this</span> <span class="token punctuation">)</span>
<span class="token keyword">when</span> <span class="token punctuation">(</span> biometricManager <span class="token punctuation">.</span> <span class="token function">canAuthenticate</span> <span class="token punctuation">(</span> BIOMETRIC_STRONG <span class="token operator">or</span> DEVICE_CREDENTIAL <span class="token punctuation">)</span> <span class="token punctuation">)</span> <span class="token punctuation">{</span>
    BiometricManager <span class="token punctuation">.</span> BIOMETRIC_SUCCESS <span class="token operator">-&gt;</span>
        Log <span class="token punctuation">.</span> <span class="token function">d</span> <span class="token punctuation">(</span> <span class="token string">"MY_APP_TAG"</span> <span class="token punctuation">,</span> <span class="token string">"App can authenticate using biometrics."</span> <span class="token punctuation">)</span>
    BiometricManager <span class="token punctuation">.</span> BIOMETRIC_ERROR_NO_HARDWARE <span class="token operator">-&gt;</span>
        Log <span class="token punctuation">.</span> <span class="token function">e</span> <span class="token punctuation">(</span> <span class="token string">"MY_APP_TAG"</span> <span class="token punctuation">,</span> <span class="token string">"No biometric features available on this device."</span> <span class="token punctuation">)</span>
    BiometricManager <span class="token punctuation">.</span> BIOMETRIC_ERROR_HW_UNAVAILABLE <span class="token operator">-&gt;</span>
        Log <span class="token punctuation">.</span> <span class="token function">e</span> <span class="token punctuation">(</span> <span class="token string">"MY_APP_TAG"</span> <span class="token punctuation">,</span> <span class="token string">"Biometric features are currently unavailable."</span> <span class="token punctuation">)</span>
    BiometricManager <span class="token punctuation">.</span> BIOMETRIC_ERROR_NONE_ENROLLED <span class="token operator">-&gt;</span> <span class="token punctuation">{</span>
        <span class="token comment">// Prompts the user to create credentials that your app accepts.</span>
        <span class="token keyword">val</span> enrollIntent <span class="token operator">=</span> <span class="token function">Intent</span> <span class="token punctuation">(</span> Settings <span class="token punctuation">.</span> ACTION_BIOMETRIC_ENROLL <span class="token punctuation">)</span> <span class="token punctuation">.</span> <span class="token function">apply</span> <span class="token punctuation">{</span>
            <span class="token function">putExtra</span> <span class="token punctuation">(</span> Settings <span class="token punctuation">.</span> EXTRA_BIOMETRIC_AUTHENTICATORS_ALLOWED <span class="token punctuation">,</span>
                BIOMETRIC_STRONG <span class="token operator">or</span> DEVICE_CREDENTIAL <span class="token punctuation">)</span>
        <span class="token punctuation">}</span>
        <span class="token function">startActivityForResult</span> <span class="token punctuation">(</span> enrollIntent <span class="token punctuation">,</span> REQUEST_CODE <span class="token punctuation">)</span>
    <span class="token punctuation">}</span>
<span class="token punctuation">}</span>

val biometricManager = BiometricManager . from ( this )

when ( biometricManager . canAuthenticate ( BIOMETRIC_STRONG or DEVICE_CREDENTIAL ) ) {

BiometricManager . BIOMETRIC_SUCCESS ->

Log . d ( "MY_APP_TAG" , "App can authenticate using biometrics." )

BiometricManager . BIOMETRIC_ERROR_NO_HARDWARE ->

Log . e ( "MY_APP_TAG" , "No biometric features available on this device." )

BiometricManager . BIOMETRIC_ERROR_HW_UNAVAILABLE ->

Log . e ( "MY_APP_TAG" , "Biometric features are currently unavailable." )

BiometricManager . BIOMETRIC_ERROR_NONE_ENROLLED -> {

// Prompts the user to create credentials that your app accepts.

val enrollIntent = Intent ( Settings . ACTION_BIOMETRIC_ENROLL ) . apply {

putExtra ( Settings . EXTRA_BIOMETRIC_AUTHENTICATORS_ALLOWED ,

BIOMETRIC_STRONG or DEVICE_CREDENTIAL )

}

startActivityForResult ( enrollIntent , REQUEST_CODE )

}

Determine how users authenticate

After the user authenticates, you can check if the user is authenticated with the device credentials or the biometric credentials by calling getAuthenticationType () .

Show login prompt

To display a system prompt that asks the user to authenticate using biometric credentials, use Biometric Librator . This system-provided Dialog is consistent across the applications that use it, resulting in a more reliable user experience.

Steps to add biometric authentication to your app using Biometric library:

In the app / build.gradle file, add the dependency Biometric library:

dependencies <span class="token punctuation">{</span>
    implementation <span class="token string">'androidx.biometric:biometric:1.0.1'</span>
<span class="token punctuation">}</span>

dependencies {

implementation 'androidx.biometric:biometric:1.0.1'

}

In an activity or fragment using a biometric login dialog, display a dialog like this:

<span class="token keyword">private</span> <span class="token keyword">lateinit</span> <span class="token keyword">var</span> executor <span class="token operator">:</span> Executor
<span class="token keyword">private</span> <span class="token keyword">lateinit</span> <span class="token keyword">var</span> biometricPrompt <span class="token operator">:</span> BiometricPrompt
<span class="token keyword">private</span> <span class="token keyword">lateinit</span> <span class="token keyword">var</span> promptInfo <span class="token operator">:</span> BiometricPrompt <span class="token punctuation">.</span> PromptInfo

<span class="token keyword">override</span> <span class="token keyword">fun</span> <span class="token function">onCreate</span> <span class="token punctuation">(</span> savedInstanceState <span class="token operator">:</span> Bundle <span class="token operator">?</span> <span class="token punctuation">)</span> <span class="token punctuation">{</span>
    <span class="token keyword">super</span> <span class="token punctuation">.</span> <span class="token function">onCreate</span> <span class="token punctuation">(</span> savedInstanceState <span class="token punctuation">)</span>
    <span class="token function">setContentView</span> <span class="token punctuation">(</span> R <span class="token punctuation">.</span> layout <span class="token punctuation">.</span> activity_login <span class="token punctuation">)</span>
    executor <span class="token operator">=</span> ContextCompat <span class="token punctuation">.</span> <span class="token function">getMainExecutor</span> <span class="token punctuation">(</span> <span class="token keyword">this</span> <span class="token punctuation">)</span>
    biometricPrompt <span class="token operator">=</span> <span class="token function">BiometricPrompt</span> <span class="token punctuation">(</span> <span class="token keyword">this</span> <span class="token punctuation">,</span> executor <span class="token punctuation">,</span>
            <span class="token keyword">object</span> <span class="token operator">:</span> BiometricPrompt <span class="token punctuation">.</span> <span class="token function">AuthenticationCallback</span> <span class="token punctuation">(</span> <span class="token punctuation">)</span> <span class="token punctuation">{</span>
        <span class="token keyword">override</span> <span class="token keyword">fun</span> <span class="token function">onAuthenticationError</span> <span class="token punctuation">(</span> errorCode <span class="token operator">:</span> Int <span class="token punctuation">,</span>
                errString <span class="token operator">:</span> CharSequence <span class="token punctuation">)</span> <span class="token punctuation">{</span>
            <span class="token keyword">super</span> <span class="token punctuation">.</span> <span class="token function">onAuthenticationError</span> <span class="token punctuation">(</span> errorCode <span class="token punctuation">,</span> errString <span class="token punctuation">)</span>
            Toast <span class="token punctuation">.</span> <span class="token function">makeText</span> <span class="token punctuation">(</span> applicationContext <span class="token punctuation">,</span>
                <span class="token string">"Authentication error: <span class="token interpolation variable">$errString</span> "</span> <span class="token punctuation">,</span> Toast <span class="token punctuation">.</span> LENGTH_SHORT <span class="token punctuation">)</span>
                <span class="token punctuation">.</span> <span class="token function">show</span> <span class="token punctuation">(</span> <span class="token punctuation">)</span>
        <span class="token punctuation">}</span>

        <span class="token keyword">override</span> <span class="token keyword">fun</span> <span class="token function">onAuthenticationSucceeded</span> <span class="token punctuation">(</span>
                result <span class="token operator">:</span> BiometricPrompt <span class="token punctuation">.</span> AuthenticationResult <span class="token punctuation">)</span> <span class="token punctuation">{</span>
            <span class="token keyword">super</span> <span class="token punctuation">.</span> <span class="token function">onAuthenticationSucceeded</span> <span class="token punctuation">(</span> result <span class="token punctuation">)</span>
            Toast <span class="token punctuation">.</span> <span class="token function">makeText</span> <span class="token punctuation">(</span> applicationContext <span class="token punctuation">,</span>
                <span class="token string">"Authentication succeeded!"</span> <span class="token punctuation">,</span> Toast <span class="token punctuation">.</span> LENGTH_SHORT <span class="token punctuation">)</span>
                <span class="token punctuation">.</span> <span class="token function">show</span> <span class="token punctuation">(</span> <span class="token punctuation">)</span>
        <span class="token punctuation">}</span>

        <span class="token keyword">override</span> <span class="token keyword">fun</span> <span class="token function">onAuthenticationFailed</span> <span class="token punctuation">(</span> <span class="token punctuation">)</span> <span class="token punctuation">{</span>
            <span class="token keyword">super</span> <span class="token punctuation">.</span> <span class="token function">onAuthenticationFailed</span> <span class="token punctuation">(</span> <span class="token punctuation">)</span>
            Toast <span class="token punctuation">.</span> <span class="token function">makeText</span> <span class="token punctuation">(</span> applicationContext <span class="token punctuation">,</span> <span class="token string">"Authentication failed"</span> <span class="token punctuation">,</span>
                Toast <span class="token punctuation">.</span> LENGTH_SHORT <span class="token punctuation">)</span>
                <span class="token punctuation">.</span> <span class="token function">show</span> <span class="token punctuation">(</span> <span class="token punctuation">)</span>
        <span class="token punctuation">}</span>
    <span class="token punctuation">}</span> <span class="token punctuation">)</span>

    promptInfo <span class="token operator">=</span> BiometricPrompt <span class="token punctuation">.</span> PromptInfo <span class="token punctuation">.</span> <span class="token function">Builder</span> <span class="token punctuation">(</span> <span class="token punctuation">)</span>
            <span class="token punctuation">.</span> <span class="token function">setTitle</span> <span class="token punctuation">(</span> <span class="token string">"Biometric login for my app"</span> <span class="token punctuation">)</span>
            <span class="token punctuation">.</span> <span class="token function">setSubtitle</span> <span class="token punctuation">(</span> <span class="token string">"Log in using your biometric credential"</span> <span class="token punctuation">)</span>
            <span class="token punctuation">.</span> <span class="token function">setNegativeButtonText</span> <span class="token punctuation">(</span> <span class="token string">"Use account password"</span> <span class="token punctuation">)</span>
            <span class="token punctuation">.</span> <span class="token function">build</span> <span class="token punctuation">(</span> <span class="token punctuation">)</span>

    <span class="token comment">// Prompt appears when user clicks "Log in".</span>
    <span class="token comment">// Consider integrating with the keystore to unlock cryptographic operations,</span>
    <span class="token comment">// if needed by your app.</span>
    <span class="token keyword">val</span> biometricLoginButton <span class="token operator">=</span>
            findViewById <span class="token operator">&lt;</span> Button <span class="token operator">&gt;</span> <span class="token punctuation">(</span> R <span class="token punctuation">.</span> id <span class="token punctuation">.</span> biometric_login <span class="token punctuation">)</span>
    biometricLoginButton <span class="token punctuation">.</span> <span class="token function">setOnClickListener</span> <span class="token punctuation">{</span>
        biometricPrompt <span class="token punctuation">.</span> <span class="token function">authenticate</span> <span class="token punctuation">(</span> promptInfo <span class="token punctuation">)</span>
    <span class="token punctuation">}</span>
<span class="token punctuation">}</span>

private lateinit var executor : Executor

private lateinit var biometricPrompt : BiometricPrompt

private lateinit var promptInfo : BiometricPrompt . PromptInfo

override fun onCreate ( savedInstanceState : Bundle ? ) {

super . onCreate ( savedInstanceState )

setContentView ( R . layout . activity_login )

executor = ContextCompat . getMainExecutor ( this )

biometricPrompt = BiometricPrompt ( this , executor ,

object : BiometricPrompt . AuthenticationCallback ( ) {

override fun onAuthenticationError ( errorCode : Int ,

errString : CharSequence ) {

super . onAuthenticationError ( errorCode , errString )

Toast . makeText ( applicationContext ,

"Authentication error: $errString " , Toast . LENGTH_SHORT )

. show ( )

}

override fun onAuthenticationSucceeded (

result : BiometricPrompt . AuthenticationResult ) {

super . onAuthenticationSucceeded ( result )

Toast . makeText ( applicationContext ,

"Authentication succeeded!" , Toast . LENGTH_SHORT )

. show ( )

}

override fun onAuthenticationFailed ( ) {

super . onAuthenticationFailed ( )

Toast . makeText ( applicationContext , "Authentication failed" ,

Toast . LENGTH_SHORT )

. show ( )

}

} )

. setNegativeButtonText ( "Use account password" )

. build ( )

// Prompt appears when user clicks "Log in".

// Consider integrating with the keystore to unlock cryptographic operations,

// if needed by your app.

val biometricLoginButton =

findViewById < Button > ( R . id . biometric_login )

biometricLoginButton . setOnClickListener {

biometricPrompt . authenticate ( promptInfo )

}

Using a cryptographic solution depends on authentication

To further protect sensitive information in your application, you can incorporate cryptography into your biometric authentication using the CryptoObject instance. The framework supports the following encryption objects: Signature , Cipher, and Mac .

After the user successfully authenticates with the biometric prompt, your application can perform the encryption operation. For example, if you authenticate using a Cipher object, your application can perform encryption and decryption using the SecretKey object.

The following sections go through examples of using the Cipher object and the SecretKey object to encrypt data. Each example uses the following methods:

<span class="token keyword">private</span> <span class="token keyword">fun</span> <span class="token function">generateSecretKey</span> <span class="token punctuation">(</span> keyGenParameterSpec <span class="token operator">:</span> KeyGenParameterSpec <span class="token punctuation">)</span> <span class="token punctuation">{</span>
    <span class="token keyword">val</span> keyGenerator <span class="token operator">=</span> KeyGenerator <span class="token punctuation">.</span> <span class="token function">getInstance</span> <span class="token punctuation">(</span>
            KeyProperties <span class="token punctuation">.</span> KEY_ALGORITHM_AES <span class="token punctuation">,</span> <span class="token string">"AndroidKeyStore"</span> <span class="token punctuation">)</span>
    keyGenerator <span class="token punctuation">.</span> <span class="token function">init</span> <span class="token punctuation">(</span> keyGenParameterSpec <span class="token punctuation">)</span>
    keyGenerator <span class="token punctuation">.</span> <span class="token function">generateKey</span> <span class="token punctuation">(</span> <span class="token punctuation">)</span>
<span class="token punctuation">}</span>

<span class="token keyword">private</span> <span class="token keyword">fun</span> <span class="token function">getSecretKey</span> <span class="token punctuation">(</span> <span class="token punctuation">)</span> <span class="token operator">:</span> SecretKey <span class="token punctuation">{</span>
    <span class="token keyword">val</span> keyStore <span class="token operator">=</span> KeyStore <span class="token punctuation">.</span> <span class="token function">getInstance</span> <span class="token punctuation">(</span> <span class="token string">"AndroidKeyStore"</span> <span class="token punctuation">)</span>

    <span class="token comment">// Before the keystore can be accessed, it must be loaded.</span>
    keyStore <span class="token punctuation">.</span> <span class="token function">load</span> <span class="token punctuation">(</span> <span class="token keyword">null</span> <span class="token punctuation">)</span>
    <span class="token keyword">return</span> keyStore <span class="token punctuation">.</span> <span class="token function">getKey</span> <span class="token punctuation">(</span> KEY_NAME <span class="token punctuation">,</span> <span class="token keyword">null</span> <span class="token punctuation">)</span> <span class="token keyword">as</span> SecretKey
<span class="token punctuation">}</span>

<span class="token keyword">private</span> <span class="token keyword">fun</span> <span class="token function">getCipher</span> <span class="token punctuation">(</span> <span class="token punctuation">)</span> <span class="token operator">:</span> Cipher <span class="token punctuation">{</span>
    <span class="token keyword">return</span> Cipher <span class="token punctuation">.</span> <span class="token function">getInstance</span> <span class="token punctuation">(</span> KeyProperties <span class="token punctuation">.</span> KEY_ALGORITHM_AES <span class="token operator">+</span> <span class="token string">"/"</span>
            <span class="token operator">+</span> KeyProperties <span class="token punctuation">.</span> BLOCK_MODE_CBC <span class="token operator">+</span> <span class="token string">"/"</span>
            <span class="token operator">+</span> KeyProperties <span class="token punctuation">.</span> ENCRYPTION_PADDING_PKCS7 <span class="token punctuation">)</span>
<span class="token punctuation">}</span>

private fun generateSecretKey ( keyGenParameterSpec : KeyGenParameterSpec ) {

val keyGenerator = KeyGenerator . getInstance (

KeyProperties . KEY_ALGORITHM_AES , "AndroidKeyStore" )

keyGenerator . init ( keyGenParameterSpec )

keyGenerator . generateKey ( )

}

private fun getSecretKey ( ) : SecretKey {

val keyStore = KeyStore . getInstance ( "AndroidKeyStore" )

// Before the keystore can be accessed, it must be loaded.

keyStore . load ( null )

return keyStore . getKey ( KEY_NAME , null ) as SecretKey

}

private fun getCipher ( ) : Cipher {

return Cipher . getInstance ( KeyProperties . KEY_ALGORITHM_AES + "/"

+ KeyProperties . BLOCK_MODE_CBC + "/"

+ KeyProperties . ENCRYPTION_PADDING_PKCS7 )

}

Authenticate using only biometric credentials

If your application uses a secret key that requires biometric credentials to unlock, the user must verify their biometric credentials each time before your app accesses the key.

To encrypt sensitive information only after the user authenticates with the biometric credentials, complete the following steps:

The Generate key uses the following KeyGenParameterSpec configuration:

<span class="token function">generateSecretKey</span> <span class="token punctuation">(</span> KeyGenParameterSpec <span class="token punctuation">.</span> <span class="token function">Builder</span> <span class="token punctuation">(</span>
        KEY_NAME <span class="token punctuation">,</span>
        KeyProperties <span class="token punctuation">.</span> PURPOSE_ENCRYPT <span class="token operator">or</span> KeyProperties <span class="token punctuation">.</span> PURPOSE_DECRYPT <span class="token punctuation">)</span>
        <span class="token punctuation">.</span> <span class="token function">setBlockModes</span> <span class="token punctuation">(</span> KeyProperties <span class="token punctuation">.</span> BLOCK_MODE_CBC <span class="token punctuation">)</span>
        <span class="token punctuation">.</span> <span class="token function">setEncryptionPaddings</span> <span class="token punctuation">(</span> KeyProperties <span class="token punctuation">.</span> ENCRYPTION_PADDING_PKCS7 <span class="token punctuation">)</span>
        <span class="token punctuation">.</span> <span class="token function">setUserAuthenticationRequired</span> <span class="token punctuation">(</span> <span class="token boolean">true</span> <span class="token punctuation">)</span>
        <span class="token comment">// Invalidate the keys if the user has registered a new biometric</span>
        <span class="token comment">// credential, such as a new fingerprint. Can call this method only</span>
        <span class="token comment">// on Android 7.0 (API level 24) or higher. The variable</span>
        <span class="token comment">// "invalidatedByBiometricEnrollment" is true by default.</span>
        <span class="token punctuation">.</span> <span class="token function">setInvalidatedByBiometricEnrollment</span> <span class="token punctuation">(</span> <span class="token boolean">true</span> <span class="token punctuation">)</span>
        <span class="token punctuation">.</span> <span class="token function">build</span> <span class="token punctuation">(</span> <span class="token punctuation">)</span> <span class="token punctuation">)</span>

generateSecretKey ( KeyGenParameterSpec . Builder (

KEY_NAME ,

KeyProperties . PURPOSE_ENCRYPT or KeyProperties . PURPOSE_DECRYPT )

. setBlockModes ( KeyProperties . BLOCK_MODE_CBC )

. setEncryptionPaddings ( KeyProperties . ENCRYPTION_PADDING_PKCS7 )

. setUserAuthenticationRequired ( true )

// Invalidate the keys if the user has registered a new biometric

// credential, such as a new fingerprint. Can call this method only

// on Android 7.0 (API level 24) or higher. The variable

// "invalidatedByBiometricEnrollment" is true by default.

. setInvalidatedByBiometricEnrollment ( true )

. build ( ) )

Start the process of biometric authentication with cryptography:

biometricLoginButton <span class="token punctuation">.</span> <span class="token function">setOnClickListener</span> <span class="token punctuation">{</span>
    <span class="token comment">// Exceptions are unhandled within this snippet.</span>
    <span class="token keyword">val</span> cipher <span class="token operator">=</span> <span class="token function">getCipher</span> <span class="token punctuation">(</span> <span class="token punctuation">)</span>
    <span class="token keyword">val</span> secretKey <span class="token operator">=</span> <span class="token function">getSecretKey</span> <span class="token punctuation">(</span> <span class="token punctuation">)</span>
    cipher <span class="token punctuation">.</span> <span class="token function">init</span> <span class="token punctuation">(</span> Cipher <span class="token punctuation">.</span> ENCRYPT_MODE <span class="token punctuation">,</span> secretKey <span class="token punctuation">)</span>
    biometricPrompt <span class="token punctuation">.</span> <span class="token function">authenticate</span> <span class="token punctuation">(</span> promptInfo <span class="token punctuation">,</span>
            BiometricPrompt <span class="token punctuation">.</span> <span class="token function">CryptoObject</span> <span class="token punctuation">(</span> cipher <span class="token punctuation">)</span> <span class="token punctuation">)</span>
<span class="token punctuation">}</span>

biometricLoginButton . setOnClickListener {

// Exceptions are unhandled within this snippet.

val cipher = getCipher ( )

val secretKey = getSecretKey ( )

cipher . init ( Cipher . ENCRYPT_MODE , secretKey )

biometricPrompt . authenticate ( promptInfo ,

BiometricPrompt . CryptoObject ( cipher ) )

}

In your biometric authentication callback, use the secret key to encrypt sensitive information:

<span class="token keyword">override</span> <span class="token keyword">fun</span> <span class="token function">onAuthenticationSucceeded</span> <span class="token punctuation">(</span>
        result <span class="token operator">:</span> BiometricPrompt <span class="token punctuation">.</span> AuthenticationResult <span class="token punctuation">)</span> <span class="token punctuation">{</span>
    <span class="token keyword">val</span> encryptedInfo <span class="token operator">:</span> ByteArray <span class="token operator">=</span> result <span class="token punctuation">.</span> cryptoObject <span class="token punctuation">.</span> cipher <span class="token operator">?</span> <span class="token punctuation">.</span> <span class="token function">doFinal</span> <span class="token punctuation">(</span>
            plaintext <span class="token operator">-</span> string <span class="token punctuation">.</span> <span class="token function">toByteArray</span> <span class="token punctuation">(</span> Charset <span class="token punctuation">.</span> <span class="token function">defaultCharset</span> <span class="token punctuation">(</span> <span class="token punctuation">)</span> <span class="token punctuation">)</span>
    <span class="token punctuation">)</span>
    Log <span class="token punctuation">.</span> <span class="token function">d</span> <span class="token punctuation">(</span> <span class="token string">"MY_APP_TAG"</span> <span class="token punctuation">,</span> <span class="token string">"Encrypted information: "</span> <span class="token operator">+</span>
            Arrays <span class="token punctuation">.</span> <span class="token function">toString</span> <span class="token punctuation">(</span> encryptedInfo <span class="token punctuation">)</span> <span class="token punctuation">)</span>
<span class="token punctuation">}</span>

override fun onAuthenticationSucceeded (

val encryptedInfo : ByteArray = result . cryptoObject . cipher ? . doFinal (

plaintext - string . toByteArray ( Charset . defaultCharset ( ) )

)

Log . d ( "MY_APP_TAG" , "Encrypted information: " +

Arrays . toString ( encryptedInfo ) )

}

Authenticate using lock screen or biometric credentials

You can use a secret key that enables authentication using biometric credentials or lock screen credentials (PIN, pattern or password). When configuring this key, specify an validity period. During this time, your application may perform many cryptographic operations without the user needing to re-authenticate.

To encrypt sensitive information after a user authenticates with credentials on the lock screen or biometrics, complete the following steps:

Generate key using the KeyGenParameterSpec configuration

<span class="token function">generateSecretKey</span> <span class="token punctuation">(</span> KeyGenParameterSpec <span class="token punctuation">.</span> <span class="token function">Builder</span> <span class="token punctuation">(</span>
    KEY_NAME <span class="token punctuation">,</span>
    KeyProperties <span class="token punctuation">.</span> PURPOSE_ENCRYPT <span class="token operator">or</span> KeyProperties <span class="token punctuation">.</span> PURPOSE_DECRYPT <span class="token punctuation">)</span>
    <span class="token punctuation">.</span> <span class="token function">setBlockModes</span> <span class="token punctuation">(</span> KeyProperties <span class="token punctuation">.</span> BLOCK_MODE_CBC <span class="token punctuation">)</span>
    <span class="token punctuation">.</span> <span class="token function">setEncryptionPaddings</span> <span class="token punctuation">(</span> KeyProperties <span class="token punctuation">.</span> ENCRYPTION_PADDING_PKCS7 <span class="token punctuation">)</span>
    <span class="token punctuation">.</span> <span class="token function">setUserAuthenticationRequired</span> <span class="token punctuation">(</span> <span class="token boolean">true</span> <span class="token punctuation">)</span>
    <span class="token punctuation">.</span> <span class="token function">setUserAuthenticationParameters</span> <span class="token punctuation">(</span> VALIDITY_DURATION_SECONDS <span class="token punctuation">,</span>
            ALLOWED_AUTHENTICATORS <span class="token punctuation">)</span>
    <span class="token punctuation">.</span> <span class="token function">build</span> <span class="token punctuation">(</span> <span class="token punctuation">)</span> <span class="token punctuation">)</span>

KEY_NAME ,

. setUserAuthenticationParameters ( VALIDITY_DURATION_SECONDS ,

ALLOWED_AUTHENTICATORS )

During the period VALIDITY_DURATION_SECONDS after the user authenticates, encrypt the sensitive information:

<span class="token keyword">private</span> <span class="token keyword">fun</span> <span class="token function">encryptSecretInformation</span> <span class="token punctuation">(</span> <span class="token punctuation">)</span> <span class="token punctuation">{</span>
    <span class="token comment">// Exceptions are unhandled for getCipher() and getSecretKey().</span>
    <span class="token keyword">val</span> cipher <span class="token operator">=</span> <span class="token function">getCipher</span> <span class="token punctuation">(</span> <span class="token punctuation">)</span>
    <span class="token keyword">val</span> secretKey <span class="token operator">=</span> <span class="token function">getSecretKey</span> <span class="token punctuation">(</span> <span class="token punctuation">)</span>
    <span class="token keyword">try</span> <span class="token punctuation">{</span>
        cipher <span class="token punctuation">.</span> <span class="token function">init</span> <span class="token punctuation">(</span> Cipher <span class="token punctuation">.</span> ENCRYPT_MODE <span class="token punctuation">,</span> secretKey <span class="token punctuation">)</span>
        <span class="token keyword">val</span> encryptedInfo <span class="token operator">:</span> ByteArray <span class="token operator">=</span> cipher <span class="token punctuation">.</span> <span class="token function">doFinal</span> <span class="token punctuation">(</span>
                plaintext <span class="token operator">-</span> string <span class="token punctuation">.</span> <span class="token function">toByteArray</span> <span class="token punctuation">(</span> Charset <span class="token punctuation">.</span> <span class="token function">defaultCharset</span> <span class="token punctuation">(</span> <span class="token punctuation">)</span> <span class="token punctuation">)</span> <span class="token punctuation">)</span>
        Log <span class="token punctuation">.</span> <span class="token function">d</span> <span class="token punctuation">(</span> <span class="token string">"MY_APP_TAG"</span> <span class="token punctuation">,</span> <span class="token string">"Encrypted information: "</span> <span class="token operator">+</span>
                Arrays <span class="token punctuation">.</span> <span class="token function">toString</span> <span class="token punctuation">(</span> encryptedInfo <span class="token punctuation">)</span> <span class="token punctuation">)</span>
    <span class="token punctuation">}</span> <span class="token keyword">catch</span> <span class="token punctuation">(</span> e <span class="token operator">:</span> InvalidKeyException <span class="token punctuation">)</span> <span class="token punctuation">{</span>
        Log <span class="token punctuation">.</span> <span class="token function">e</span> <span class="token punctuation">(</span> <span class="token string">"MY_APP_TAG"</span> <span class="token punctuation">,</span> <span class="token string">"Key is invalid."</span> <span class="token punctuation">)</span>
    <span class="token punctuation">}</span> <span class="token keyword">catch</span> <span class="token punctuation">(</span> e <span class="token operator">:</span> UserNotAuthenticatedException <span class="token punctuation">)</span> <span class="token punctuation">{</span>
        Log <span class="token punctuation">.</span> <span class="token function">d</span> <span class="token punctuation">(</span> <span class="token string">"MY_APP_TAG"</span> <span class="token punctuation">,</span> <span class="token string">"The key's validity timed out."</span> <span class="token punctuation">)</span>
        biometricPrompt <span class="token punctuation">.</span> <span class="token function">authenticate</span> <span class="token punctuation">(</span> promptInfo <span class="token punctuation">)</span>
    <span class="token punctuation">}</span>

private fun encryptSecretInformation ( ) {

// Exceptions are unhandled for getCipher() and getSecretKey().

try {

val encryptedInfo : ByteArray = cipher . doFinal (

Log . d ( "MY_APP_TAG" , "Encrypted information: " +

} catch ( e : InvalidKeyException ) {

Log . e ( "MY_APP_TAG" , "Key is invalid." )

} catch ( e : UserNotAuthenticatedException ) {

Log . d ( "MY_APP_TAG" , "The key's validity timed out." )

biometricPrompt . authenticate ( promptInfo )

}

Authenticate with an authentication key each time

You can provide support for per-use authentication keys in your instance of BiometricPrompt . Such a lock requires users to present biometric or device credentials each time your application needs to access data protected by that key. Per-use authentication keys can be useful for high-value transactions, such as large payments or updating one’s health records.

To associate the BiometricPrompt object with the auth-per-use key, add code similar to the following:

<span class="token keyword">val</span> authPerOpKeyGenParameterSpec <span class="token operator">=</span>
        KeyGenParameterSpec <span class="token punctuation">.</span> <span class="token function">Builder</span> <span class="token punctuation">(</span> <span class="token string">"myKeystoreAlias"</span> <span class="token punctuation">,</span> key <span class="token operator">-</span> purpose <span class="token punctuation">)</span>
    <span class="token comment">// Accept either a biometric credential or a device credential.</span>
    <span class="token comment">// To accept only one type of credential, include only that type as the</span>
    <span class="token comment">// second argument.</span>
    <span class="token punctuation">.</span> <span class="token function">setUserAuthenticationParameters</span> <span class="token punctuation">(</span> <span class="token number">0</span> <span class="token comment">/* duration */</span> <span class="token punctuation">,</span>
            KeyProperties <span class="token punctuation">.</span> AUTH_BIOMETRIC_STRONG <span class="token operator">or</span>
            KeyProperties <span class="token punctuation">.</span> AUTH_DEVICE_CREDENTIAL <span class="token punctuation">)</span>
    <span class="token punctuation">.</span> <span class="token function">build</span> <span class="token punctuation">(</span> <span class="token punctuation">)</span>

val authPerOpKeyGenParameterSpec =

KeyGenParameterSpec . Builder ( "myKeystoreAlias" , key - purpose )

// Accept either a biometric credential or a device credential.

// To accept only one type of credential, include only that type as the

// second argument.

. setUserAuthenticationParameters ( 0 /* duration */ ,

KeyProperties . AUTH_BIOMETRIC_STRONG or

KeyProperties . AUTH_DEVICE_CREDENTIAL )

. build ( )

Authentication without explicit user action

By default, the system asks the user to perform a specific action, such as pressing a button, after their biometric credentials are accepted. This configuration is more suitable if your application is displaying a dialog box to confirm a sensitive or high-risk action, such as a purchase.

However, if your app shows a biometric authentication dialog for a lower risk action, you can provide a hint to the system that the user doesn’t need validation. This suggestion can allow users to see content in your app faster after re-authenticating using a passive method, such as facial or iris based recognition. To provide this hint, pass false to the setConfirmationRequired () method .

The picture shows two versions of the same dialog. One version requires explicit user action and the other does not:

The following code snippet shows how to present a dialog that doesn’t require explicit user action to complete the validation process:

<span class="token comment">// Allows user to authenticate without performing an action, such as pressing a</span>
<span class="token comment">// button, after their biometric credential is accepted.</span>
promptInfo <span class="token operator">=</span> BiometricPrompt <span class="token punctuation">.</span> PromptInfo <span class="token punctuation">.</span> <span class="token function">Builder</span> <span class="token punctuation">(</span> <span class="token punctuation">)</span>
        <span class="token punctuation">.</span> <span class="token function">setTitle</span> <span class="token punctuation">(</span> <span class="token string">"Biometric login for my app"</span> <span class="token punctuation">)</span>
        <span class="token punctuation">.</span> <span class="token function">setSubtitle</span> <span class="token punctuation">(</span> <span class="token string">"Log in using your biometric credential"</span> <span class="token punctuation">)</span>
        <span class="token punctuation">.</span> <span class="token function">setNegativeButtonText</span> <span class="token punctuation">(</span> <span class="token string">"Use account password"</span> <span class="token punctuation">)</span>
        <span class="token punctuation">.</span> <span class="token function">setConfirmationRequired</span> <span class="token punctuation">(</span> <span class="token boolean">false</span> <span class="token punctuation">)</span>
        <span class="token punctuation">.</span> <span class="token function">build</span> <span class="token punctuation">(</span> <span class="token punctuation">)</span>

// Allows user to authenticate without performing an action, such as pressing a

// button, after their biometric credential is accepted.

. setConfirmationRequired ( false )

. build ( )

Allow the provision of non-biometric authentication information

If you want your app to enable biometric or device authentication, you can declare that your app supports device credentials by including DEVICE_CREDENTIAL in the set of values. which you pass in setAllowedAuthenticators () .

If your application is currently using createConfirmDeviceCredentialIntent () or setDeviceCredentialAllowed () to provide this capability, switch to using setAllowedAuthenticators () .

This article is over. Thank you for reading my article

Share the news now

Source : Viblo

Using biometrics on Android

Declare the types of authentication that the app you support

Check if biometric validation is possible

Determine how users authenticate

Show login prompt

Using a cryptographic solution depends on authentication

Authenticate using only biometric credentials

Authenticate using lock screen or biometric credentials

Authenticate with an authentication key each time

Authentication without explicit user action

Allow the provision of non-biometric authentication information

TikTok becomes the second largest social platform in South Africa

The fastest depreciating after 9 months of launch, iPhone 14 Pro Max continues to break the bottom in Vietnam

Beginner's guide to R: Introduction

10 essential SublimeText plugins for JavaScript developers