1

I have an application which has a PIN/Lock screen. In order to open the app user needs to enter his PIN code (which he had set up before in the app).

I want to add Biometric option -> instead of entering the PIN just place your fingerprint. However you should still have an option to use the PIN as fallback. Exactly the same as Revolut, LastPass or bunch of other banking apps. Pretty straightforward, right?

I've looked at the new Biometric API and it does not support fallback to a custom pin/password (only fallback to a lock screen). I could somehow add that manually (when user cancels the dialog) but this creates poor UX (switching from Google style dialog to app style screen). Also, Google dialog has a transparent background (which could reveal sensitive information) so I would need to put it in a separate blank activity (again poor experience). I wonder how banking apps are planning to migrate to that?

Should I do this the old way (FingerprintManager)? Is fallback to device lock safe enough? If someone knows your phone PIN he could access all of your apps.

rafakob
  • 3,946
  • 3
  • 26
  • 36
  • I think the way WhatsApp implemented is good. "However you should still have an option to use the PIN as fallback." - that totally depends upon the Application you are building. As you know Whatsapp doesn't have the fallback option which i think is a security concern. They must have implemented it in a custom way and not using the google biometric API. The Screen is full which is plus for you since you don't want to reveal the sensitive information in the background. – Aman Verma Jan 09 '20 at 14:49
  • _"I could somehow add that manually (when user cancels the dialog) but this creates poor UX (switching from Google style dialog to app style screen)."_ To me that sounds desirable. If the UI looked like the normal device lock screen, the user might think they're supposed to enter the device unlock PIN instead of the application PIN. – Michael Jan 09 '20 at 15:00
  • @rafakob _"I could somehow add that manually (when user cancels the dialog) but this creates poor UX (switching from Google style dialog to app style screen)."_ I want to do the same way but my concern is, while checking `errorCode == ERROR_NEGATIVE_BUTTON` in `onAuthenticationError`, Do I need to create my own DialogPopUp which will have email/username and password edittexts? – Maulik Dodia Jan 19 '21 at 12:16

1 Answers1

1

Have you looked at this blog post? or that one? The AndroidX Biometrics Library provides a method called setNegativeButtonText() that provides an option for using an account/app credential if the user doesn't want to use biometrics.

And then in the callback you would do

override fun onAuthenticationError(errorCode: Int, errString: CharSequence) {
   super.onAuthenticationError(errorCode, errString)
   Log.d(TAG, "$errorCode :: $errString")
   if(errorCode == BiometricPrompt.ERROR_NEGATIVE_BUTTON) {
       loginWithAppAccountCredentials() // Because negative button says use application/account password
   }
}

Also when your user clicks the login button in your UI, your onClick could look like this:

override fun onClick(view: View) {
   val promptInfo = createPromptInfo()
   if (BiometricManager.from(context)
               .canAuthenticate() == BiometricManager.BIOMETRIC_SUCCESS) {
       biometricPrompt.authenticate(promptInfo, cryptoObject)
   } else {
       loginWithAppAccountCredentials()
   }
}
Isai Damier
  • 976
  • 6
  • 8
  • 1
    What do you mean by `Because negative button says use application/account password?` Does user has to login with App'sCredentials? Or Does user has to login with his/her device's PIN/Password/Pattern? Do I need to create my own DialogPopUp while handling for `BiometricPrompt.ERROR_NEGATIVE_BUTTON` callback? – Maulik Dodia Jan 19 '21 at 12:02