0

I want to create an application (school project) that makes sure the original user is on their phone. I was thinking about a log-in screen with username and password and once you are successfully logged in you gotta use fingerprint and send it to the database so it can compare it to the users "registered" fingerprint. So Im curious what does the finger-print scanner provide you with is it a hashed value? (if yes that would be even easier for the personal data part since i wont have a problem with keeping something in my database i cant use) Or is there a better way to confirm that the original user has logged in.

  • This has been asked several times before. Android's fingerprint API doesn't give you the actual fingerprint, or anything derived from the fingerprint. If you need that sort of functionality you'll have to buy some kind of external fingerprint scanner. – Michael Dec 27 '19 at 19:06
  • so then is there a way to decline someone that recently changed their fingerprint ? –  Dec 27 '19 at 19:11
  • Does this answer your question? [Fingerprint scanner in Android](https://stackoverflow.com/questions/42341964/fingerprint-scanner-in-android) – Omar Bahareth Dec 27 '19 at 19:14
  • I'm not sure what _"someone that recently changed their fingerprint"_ means. – Michael Dec 27 '19 at 19:15
  • i'll give you an example: So lets say i own a phone and i have used my fingerprint. I can log in to this app only by using fingerprint. So now i change the fingerprint and add the finger print of my friend i will still be able to log in right? So then how do i stop that from happening like i want to make sure that its the original owner of the phone –  Dec 27 '19 at 19:16
  • I still don't understand what _"change"_ means here. You can add and remove fingerprints, but you're not changing any fingerprints. Whether you'd still be able to authenticate after adding your friend's fingerprint depends on how you've implemented the login process. Android supports creating cryptographic keys that require fingerprint authentication to use, and which get permanently invalidated whenever a new fingerprint is added. – Michael Dec 27 '19 at 19:27
  • yeah sorry that's what i meant by change add/remove is there an example on that way of authentication? –  Dec 27 '19 at 19:30

1 Answers1

0

You are talking about two different things. If you want to ensure that the subsequent users of your app are the same as the first user of your app, then you could force the user to login the first time, save that info into an encrypted keystore. Then, force subsequent users to login and compare their credentials to the decrypted credentials you stored in the keystore.

Or, if you just want to see if the person is the phone's owner, you can check to see if they have biometric authentication enabled and if they do, authenticate with that and if passed, then it's likely the phone's owner.

If you are just trying to verify if the person using the app is the phone's owner, then the biometric authentication is probably the easiest choice, but be aware that not all users enable biometric authentication, or load it with their fingerprints or facial image, or that not all devices have biometric sensors.

If you need to use their credentials, say, to send to an API to login to an account, the best way is to use an encrypted keystore.

The flow would be something like this. App starts and reads from its encrypted keystore looking for a particular key. If the key is not found, the user has never logged in before, so, prompt them to enter their user id and password. Once entered, validate it by calling the API and logging in to the account. If validated, then write the username and password into the encrypted keystore. On future startups, the key will be found and you can decrypt the encrypted credentials and pass them along to the API to login to the account immediately, or, you can force them to enter the credentials again and compare with what was saved the first time (but users hate to have to re-enter their credentials every single time they use an app).

Michael Dougan
  • 1,698
  • 1
  • 9
  • 13