1

I am facing issue with Fingerprint authentication, actually, I have integrated Fingerprint Authentication in my app and working fine except one case.

I have set up two Fingerprint in my device, after initializing KeyGenerator with Fingerprint KEY, I have removed one Fingerprint from device and come back to my app and performing Fingerprint Auth it is working fine. I don't know why it is not triggering InvalidKeyException as like adding Fingerprint works. Is this expected behavior or any bug with OS?

Device Details are below,

Device : Pixel

OS: Android 8.0

Code of my implementation follows,

protected void generateKey() {
       try {
           keyStore = KeyStore.getInstance("AndroidKeyStore");
       } catch (Exception e) {
           e.printStackTrace();
       }


       KeyGenerator keyGenerator;
       try {
           keyGenerator = KeyGenerator.getInstance(KeyProperties.KEY_ALGORITHM_AES, "AndroidKeyStore");
       } catch (NoSuchAlgorithmException | NoSuchProviderException e) {
           throw new RuntimeException("Failed to get KeyGenerator instance", e);
       }


       try {
           keyStore.load(null);
           keyGenerator.init(new
                   KeyGenParameterSpec.Builder(KEY_NAME,
                   KeyProperties.PURPOSE_ENCRYPT |
                           KeyProperties.PURPOSE_DECRYPT)
                   .setBlockModes(KeyProperties.BLOCK_MODE_CBC)
                   .setUserAuthenticationRequired(true)
                   .setEncryptionPaddings(
                           KeyProperties.ENCRYPTION_PADDING_PKCS7)
                   .build());
           keyGenerator.generateKey();
       } catch (NoSuchAlgorithmException |
               InvalidAlgorithmParameterException
               | CertificateException | IOException e) {
           throw new RuntimeException(e);
       }
   }

 public boolean cipherInit() {
       try {
           cipher = Cipher.getInstance(KeyProperties.KEY_ALGORITHM_AES + "/" + KeyProperties.BLOCK_MODE_CBC + "/" + KeyProperties.ENCRYPTION_PADDING_PKCS7);
       } catch (NoSuchAlgorithmException | NoSuchPaddingException e) {
           throw new RuntimeException("Failed to get Cipher", e);
       }


       try {
           keyStore.load(null);
           SecretKey key = (SecretKey) keyStore.getKey(KEY_NAME,
                   null);
           cipher.init(Cipher.ENCRYPT_MODE, key);
           return true;
       } catch (KeyPermanentlyInvalidatedException e) {
           return false;
       } catch (KeyStoreException | CertificateException | UnrecoverableKeyException | IOException | NoSuchAlgorithmException | InvalidKeyException e) {
           throw new RuntimeException("Failed to init Cipher", e);
       }
   }
}

I have already tried with few posts(How to detect the removal fingerprint in Android?, Android Fingerprint API and Private/Public keys, Android Key Invalidation when Fingerprints removed), nothing helped me to get rid of it.

Phantômaxx
  • 37,901
  • 21
  • 84
  • 115
SathishKumar
  • 1,644
  • 1
  • 14
  • 28

1 Answers1

2

Your code is not strictly tied to fingerprints. All it has that is somewhat related is:

setUserAuthenticationRequired(true)

That says that the key that you are creating in the AndroidKeyStore requires user authentication. It does not say anything about fingerprints.

If the user has fingerprints registered, the user could use a fingerprint to authenticate for the purposes of using this key. That would be for any fingerprint registered by the user, and in your case, you still have a registered fingerprint (even after the user removed the second fingerprint). Also, the user does not have to use a fingerprint to authenticate — they could use their passphrase, PIN, or pattern, if they choose.

Is this expected behavior or any bug with OS?

This is expected behavior.

CommonsWare
  • 986,068
  • 189
  • 2,389
  • 2,491
  • Thank you so much for the brief detail and is there any way to identify the Fingerprint deletion? – SathishKumar Apr 22 '18 at 08:42
  • @SathishKumar: I do not think so. – CommonsWare Apr 22 '18 at 08:45
  • Okay, Thank you. – SathishKumar Apr 22 '18 at 08:46
  • 1
    _"Also, the user does not have to use a fingerprint to authenticate — they could use their passphrase, PIN, or pattern, if they choose."_ Not unless `setUserAuthenticationValidityDurationSeconds` was used to allow multiple uses of the key per authentication within a given time frame. Otherwise the documentation states _"Currently, the only means of such authorization is fingerprint authentication"_. – Michael Apr 26 '18 at 11:13
  • Not true, when setUserAuthenticationRequired is set to true, then Keystore key is invalidated and key cannot be used anymore. Please refer to documentation. – Rambo's son Sep 26 '19 at 09:04
  • I'm not sure if "even after the user removed the second fingerprint" is true. https://developer.android.com/reference/android/security/keystore/KeyGenParameterSpec.Builder#setInvalidatedByBiometricEnrollment(boolean) setInvalidatedByBiometricEnrollment (boolean invalidateKey) By default, invalidateKey is true, so keys that are valid for biometric authentication only are irreversibly invalidated when a new biometric is enrolled, or when all existing biometrics are deleted. That may be changed by calling this method with invalidateKey set to false. – rewgoes May 06 '20 at 22:44