2

These days, almost all the mobile being launched have fingerprint scanners inbuilt. We can definitely authenticate the user at phone level (apps like Google Pay use it ), but is it possible to use the Mobile's fingerprint scanner as a biometric device for authentication it at server level? If yes, how can that be implemented? If not, why is it not possible and what can be done to smoothen this process?

  • It sounds like you're asking about CTAP / WebAuthn / [**FIDO2**](https://fidoalliance.org/fido2/), which will allow for this. – Obsidian Age Aug 30 '19 at 02:07
  • phone could be hacked or stolen. traffic between server and phone can be attacked . phone can be the one of the auth factor but not suitable to be the only one – James Li Aug 30 '19 at 02:18
  • As far as I know the API only expose the result, user put the finger on the sensor you get true or false – cutiko Aug 30 '19 at 02:20
  • @cutico if that is the case, we can 5-6 fingerprints that one can add in a device. Is it possible to at least retrieve that particular id or name with which it made a match? – Rohith Ravi Teja Kilaparthi Aug 30 '19 at 02:26
  • 1
    It's not clear exactly what you mean by _"authentication it at server level"_. If you mean verifying server-side that the user has authenticated user their fingerprint, then yes, of course you can do that: create a keypair that requires fingerprint authentication and send the public key to the server. When you do your authentication, request some random data from the server and create a `Signature` object that will use the private key from your keypair. After the user has unlocked the private key using their fingerprint, sign the data you got from the server and the result to the server. – Michael Sep 03 '19 at 11:23
  • And of course, anyone who has their fingerprint enrolled on the device can unlock the private key. You don't get any information about which specific fingerprint that was used. – Michael Sep 03 '19 at 11:25

3 Answers3

2

I think it would be much better if you use an external biometric device instead of a fingerprint scanner on mobile. You can follow How to Set Up Biometric Authentication in Android or Fingerprint Authentication using Android’s Biometric API

Dileep XDN
  • 151
  • 2
  • 3
1

Yes you can achieve it at server level.

If you have access to the Fingerprint scanner of the device then you can get the fingerprint address/code of the user which can be stored on your server. The next time the user tries to log in, use some mini-system or function based on the environment your working on to check if the value sensed by the sensor equals the value stored in your at your server and provide the access accordingly.

However, I still recommend not using any such feature for server authorization.

But I doubt if this method will be accurate...I would recommend researching on how fingerprint sensors work in order to not give your users an hard time.

Mohit Shetty
  • 1,551
  • 8
  • 26
0

You should probably look into the authenticate(CryptoObject) methods of FingerprintManager (deprecated) and BiometricPrompt, which integrates with KeyStore. The supported cryptographic operations include mac, cipher, and signature.

I'm not sure how your server/client architecture works specifically, but you can generate keys that are only usable after a user has authenticated with biometrics.

Here's a sample app with a few examples.

Kevin
  • 168
  • 11