1

Android is deprecating FingerprintManager in favor of BiometricManager since the end of 2019. The update is great news for developers and designers as they do not need to solve much of the tedious biometrics design and behavior.

However...

  • This prevents developers from avoiding less secure biometric options, the only workaround seems to be falling back to using FingerprintManager in order to ensure a secure authentication method is used. Case in point: unlike Apple, Samsung did not solve Facial Recognition properly and security concerns force companies to not recognize all biometrics as equally secure.

https://edit.theappbusiness.com/androidx-biometricprompt-vs-fingerprintmanager-the-good-and-the-ugly-c15a1b3a67d7

Manufacturers like Samsung warn you about-face recognition not being a strong check as the device can be tricked with a picture. What if you are developing a banking app and concerned about the security and reliability of these new biometric authentication methods? What if you are designing and building an app that has to work just with fingerprints? Then the FingerprintManager comes into play.

However, if you are concerned about the security of these new biometrics or have a design constraint and you want to restrict the biometric authentication to use just fingerprints, your best solution is to use the deprecated FingerprintManager.

  • In other news, Pixel 4 does not support Fingerprint authentication and instead implemented a secure Face ID technology that is able to be used by a variety of banking apps including Google Pay, etc.

https://www.androidcentral.com/why-google-dropped-fingerprint-sensor-and-why-thats-bad-thing

As you reach for Pixel 4, Soli proactively turns on the face unlock sensors, recognizing that you may want to unlock your phone. If the face unlock sensors and algorithms recognize you, the phone will open as you pick it up, all in one motion. Better yet, face unlock works in almost any orientation—even if you're holding it upside down—and you can use it for secure payments and app authentication too.

The new best practice and the newer phones sound great but this complicates things when various OEM implement insecure biometrics. How are we, as application developers, supposed to be handling this conundrum?

Nmk
  • 1,281
  • 2
  • 14
  • 25
Aki
  • 329
  • 3
  • 13
  • 28

2 Answers2

2

Starting with Android 11 we can check for the Biometrics Authentication strength defined by BiometricManager.Authenticators. The Authenticators define whether the biometric is strong or weak.

You can know more about it in the following link

BiometricManager.Authenticators

As of now only developer preview of Android 11 is out.So not sure how the final version of the Biometrics will be.

Quoted from Android developers blog,

Android 11 Biometrics

You can learn more about the features in developer preview here,

Android 11 developer Preview

Saikrishna Rajaraman
  • 3,205
  • 2
  • 16
  • 29
  • Great addition, so we can request to have strong biometrics used for more sensitive apps. Problem solved! – Aki Mar 16 '20 at 01:26
  • Is there a workaround for Android 10? Because Secretkey generation is not allowed when biometric is weak. To know if biometric is weak, the only option now is to catch the exception thrown. – abhishek maharajpet Jul 10 '20 at 05:55
0

The Authentificators interface has constants that define if a biometric is weak or strong.

yoshikage_kira
  • 19
  • 3