-2

I've successfully established fingerprint authentication in my app. However, when i add new fingerprint in my android settings, the fingerprint sensor does not respond in my app (scanner still works correctly for unlocking my phone). Am i missing something important there?

Phantômaxx
  • 37,901
  • 21
  • 84
  • 115
oleg.v
  • 1,065
  • 3
  • 11
  • 20
  • 2
    `Am i missing something important there?` Yes: posting your code. – Phantômaxx Oct 14 '17 at 18:11
  • I just wanted to know about principle behind this, why sensor is blocked in general. My fingerprint authentication flow is working as expected, so I believe there should be something I do not know about fingerprint security, which leads to sensor block. – oleg.v Oct 14 '17 at 20:28
  • But where is your effort in all this? – Phantômaxx Oct 14 '17 at 20:51

1 Answers1

1

Yes, you missing something verry important. It's a security case. There is no possibility to read fingerprint secured data after you add new fingerprit, so everything works as it should.

I hope I was helpfull :)

Karol Kulbaka
  • 1,136
  • 11
  • 21
  • Can you please explain a bit further on this or give any useful links? Right now i do not see any possible vulnerability in this case. User should pass some security methods (passwords, PINs or graphical pattern) to add new fingerprint, so why Android blocks sensor after adding one? – oleg.v Oct 14 '17 at 20:24
  • 1
    Android not block sensor after adding new fingerprints. Without code I can only guess that you have exception when you trying initialize cipher after adding new finger. Finally sensor is not blocked - it's just not started to monitoring. – Karol Kulbaka Oct 15 '17 at 04:46
  • As I was expecting this is the Android Keystore restriction, as @Karol mentioned (https://developer.android.com/training/articles/keystore.html): `User authentication authorizes a specific cryptographic operation associated with one key. In this mode, each operation involving such a key must be individually authorized by the user. Such keys can only be generated or imported if at least one fingerprint is enrolled. These keys become permanently invalidated once a new fingerprint is enrolled or all fingerprints are unenrolled.` – oleg.v Oct 15 '17 at 14:31
  • 1
    On API level 24+ you can control this behavior with `setInvalidatedByBiometricEnrollment`. – Michael Oct 18 '17 at 12:07