Using biometrics on Android

Tram Ho

One of the methods of protecting sensitive information or private content in your apps is to require biometric authentication, such as using facial recognition or fingerprint recognition. This tutorial explains how to support biometric login flow in your application.

Declare the types of authentication that the app you support

To determine the types of authen your application supports, use the BiometricManager.Authenticators interface. The system allows you to declare the following types of authentication:

Authenticate using hardware meets the strength level as defined on the compatibility definition page .

Authenticate using hardware that meets the weak level as defined on the compatibility definition page .

Authenticate using screen lock credentials – the user’s PIN, pattern, or password.

To register for the authenticator, users need to create a PIN, pattern or password. If the user hasn’t already, the biometric registration process prompts them to create these.

To determine the types of biometric authentication your application uses, pass an authentication type or a bitwise combination of the types into the setAllowedAuthenticators () method . The following code snippet shows how to support authentication using a “strong” hardware element or a screen lock proof of authentication.

Check if biometric validation is possible

After you decide on the authentication factors your app supports, check to see if they are available. To do so, pass the same bitwise association that you declared earlier to the canAuthenticate () method . If necessary, call intent action ACTION_BIOMETRIC_ENROLL . In the intent extra, provide the set of validators that your application accepts. This intent prompts users to register credentials for the validators your application accepts.

Determine how users authenticate

After the user authenticates, you can check if the user is authenticated with the device credentials or the biometric credentials by calling getAuthenticationType () .

Show login prompt

To display a system prompt that asks the user to authenticate using biometric credentials, use Biometric Librator . This system-provided Dialog is consistent across the applications that use it, resulting in a more reliable user experience.

Steps to add biometric authentication to your app using Biometric library:

  1. In the app / build.gradle file, add the dependency Biometric library:

  1. In an activity or fragment using a biometric login dialog, display a dialog like this:

Using a cryptographic solution depends on authentication

To further protect sensitive information in your application, you can incorporate cryptography into your biometric authentication using the CryptoObject instance. The framework supports the following encryption objects: Signature , Cipher, and Mac .

After the user successfully authenticates with the biometric prompt, your application can perform the encryption operation. For example, if you authenticate using a Cipher object, your application can perform encryption and decryption using the SecretKey object.

The following sections go through examples of using the Cipher object and the SecretKey object to encrypt data. Each example uses the following methods:

Authenticate using only biometric credentials

If your application uses a secret key that requires biometric credentials to unlock, the user must verify their biometric credentials each time before your app accesses the key.

To encrypt sensitive information only after the user authenticates with the biometric credentials, complete the following steps:

  1. The Generate key uses the following KeyGenParameterSpec configuration:

  1. Start the process of biometric authentication with cryptography:

  1. In your biometric authentication callback, use the secret key to encrypt sensitive information:

Authenticate using lock screen or biometric credentials

You can use a secret key that enables authentication using biometric credentials or lock screen credentials (PIN, pattern or password). When configuring this key, specify an validity period. During this time, your application may perform many cryptographic operations without the user needing to re-authenticate.

To encrypt sensitive information after a user authenticates with credentials on the lock screen or biometrics, complete the following steps:

  1. Generate key using the KeyGenParameterSpec configuration

  1. During the period VALIDITY_DURATION_SECONDS after the user authenticates, encrypt the sensitive information:

Authenticate with an authentication key each time

You can provide support for per-use authentication keys in your instance of BiometricPrompt . Such a lock requires users to present biometric or device credentials each time your application needs to access data protected by that key. Per-use authentication keys can be useful for high-value transactions, such as large payments or updating one’s health records.

To associate the BiometricPrompt object with the auth-per-use key, add code similar to the following:

Authentication without explicit user action

By default, the system asks the user to perform a specific action, such as pressing a button, after their biometric credentials are accepted. This configuration is more suitable if your application is displaying a dialog box to confirm a sensitive or high-risk action, such as a purchase.

However, if your app shows a biometric authentication dialog for a lower risk action, you can provide a hint to the system that the user doesn’t need validation. This suggestion can allow users to see content in your app faster after re-authenticating using a passive method, such as facial or iris based recognition. To provide this hint, pass false to the setConfirmationRequired () method .

The picture shows two versions of the same dialog. One version requires explicit user action and the other does not:

The following code snippet shows how to present a dialog that doesn’t require explicit user action to complete the validation process:

Allow the provision of non-biometric authentication information

If you want your app to enable biometric or device authentication, you can declare that your app supports device credentials by including DEVICE_CREDENTIAL in the set of values. which you pass in setAllowedAuthenticators () .

If your application is currently using createConfirmDeviceCredentialIntent () or setDeviceCredentialAllowed () to provide this capability, switch to using setAllowedAuthenticators () .

This article is over. Thank you for reading my article

Share the news now

Source : Viblo