21

I am trying to create a authentication mechanism in my (cordova) app for android that will allow my users to sign in using a password and username, or allow them to scan their finger in order to sign in.

How can one verify a fingerprint registered on a client, server side? is this even possible at all using Cordova ? I tried transmitting the result of a finger scan to my server: this looked like:

FingerprintAuth.isAvailable(function(result) {
  if (result.isAvailable) {
    if(result.hasEnrolledFingerprints){
      FingerprintAuth.show({
        clientId: client_id,
        clientSecret: client_secret
      }, function (result) {
        alert(JSON.stringify(result));

        $http.post('http://192.168.149.33:3000/authorize', result).then(
          function(response) {}
        );

        if (result.withFingerprint) {
          $scope.$parent.loggedIn = true;
          alert("Successfully authenticated using a fingerprint");
          $location.path( "/home" );
        } else if (result.withPassword) {
          alert("Authenticated with backup password");
        }
      }, function(error) {
        console.log(error); // "Fingerprint authentication not available"
      });
    } else {
      alert("Fingerprint auth available, but no fingerprint registered on the device");
    }
  }
}, function(message) {
  alert("Cannot detect fingerprint device : "+ message);
});

Server side i am receiving the following data (3 seperate scans): 

{ withFingerprint: 't8haYq36fmBPUEPbVjiWOaBLjMPBeUNP/BTOkoVtZ2ZiX20eBVzZAs3dn6PW/R4E\n' }
{ withFingerprint: 'rA9H+MIoQR3au9pqgLAi/EOCRA9b0Wx1AvzC/taGIUc8cCeDfzfiDZkxNy5U4joB\n' }
{ withFingerprint: 'MMyJm46O8MTxsa9aofKUS9fZW3OZVG7ojD+XspO71LWVy4TZh2FtvPtfjJFnj7Sy\n' }

The patterns seems to vary every time, is there a way one can link the finger print to for example a pattern saved under a user on a database ?

Sonicd300
  • 1,950
  • 1
  • 16
  • 22
Mark Stroeven
  • 676
  • 2
  • 6
  • 24
  • I believe plugins should be the way to go for such implementations. Please check out this plugin - https://github.com/mjwheatley/cordova-plugin-android-fingerprint-auth – Gandhi Oct 01 '16 at 06:14
  • Hi mark I have a doubt?. How to get the clientid and client_secret? – HariKrishnan.P Feb 09 '17 at 20:56
  • @HariKrishnan.P I think you will have to dive in to native code for that. Or you could search for a cordova plugin wich interfaces that that native functionality. – Mark Stroeven Feb 22 '17 at 00:41
  • @Gandhi- I have already used above plugin but in which format we have to store fingerprint in db like.string or any image? – Kapil Soni Dec 18 '19 at 16:17

3 Answers3

14

Short answer

The strings returned by this API are not "fingerprint patterns". So you won't be able to authenticate the way you're thinking...

Long answer

Let's start by looking at the source code of the API it looks like you're using.

Looking at this file we see these methods:

public static void onAuthenticated(boolean withFingerprint) {
    JSONObject resultJson = new JSONObject();
    String errorMessage = "";
    boolean createdResultJson = false;
    try {

        if (withFingerprint) {
            // If the user has authenticated with fingerprint, verify that using cryptography and
            // then return the encrypted token
            byte[] encrypted = tryEncrypt();
            resultJson.put("withFingerprint", Base64.encodeToString(encrypted, 0 /* flags */));
        } else {
            // Authentication happened with backup password.
            resultJson.put("withPassword", true);

            // if failed to init cipher because of InvalidKeyException, create new key
            if (!initCipher()) {
                createKey();
            }
        }
        createdResultJson = true;

// ...

/**
 * Tries to encrypt some data with the generated key in {@link #createKey} which is
 * only works if the user has just authenticated via fingerprint.
 */
private static byte[] tryEncrypt() throws BadPaddingException, IllegalBlockSizeException {
    return mCipher.doFinal(mClientSecret.getBytes());
}

Look at what's being put to "withFingerprint". It's a Base64 encoding of the encrypted client secret. Technically, this is your authentication. You would use this token to authenticate requests and your server would decrypt and validate the client secret.

Summary

Fingerprinting adds a level of security, but it is not the only means of security. A relationship needs to be established with the device and server beforehand.

I found this diagram to be helpful in understanding the intent of android's fingerprint authentication (ref: http://android-developers.blogspot.com/2015/10/new-in-android-samples-authenticating.html)

enter image description here

souldzin
  • 1,428
  • 11
  • 23
1

You can't authenticate fingerprint on the server, fingerprints are stored or authenticated using Live Scan/Biometric template. Authentication is done by comparing the current scan template with previously stored templates

First of all you don't have access to these stored templates(Not provided by the OS providers/Phone Manufacturers) and If we assume that you have access to those templates, then an efficient algorithm (Image based /Pattern based ) is required to compare the current template with previously stored templates. You can't simply authenticate it by string comparison.

Vikas Sardana
  • 1,593
  • 2
  • 18
  • 37
-1

Use cordova-plugin-fingerprint-aio for fingerprint authentication .

For further info you can consult https://www.npmjs.com/package/cordova-plugin-fingerprint-aio .

kshitij agrawal
  • 149
  • 1
  • 5