3

I am using the android Biometricx library for face and fingerprint authentication. When only FaceID is registered and I try to create secret key I am getting "IllegalStatException: At least one biometric must be enrolled to create keys that require user authentication"

I am trying to create secretKey like this

            try {
                
                mKeyGenerator.init(new KeyGenParameterSpec.Builder(KEY_NAME,
                        KeyProperties.PURPOSE_ENCRYPT |
                                KeyProperties.PURPOSE_DECRYPT)
                        .setBlockModes(KeyProperties.BLOCK_MODE_CBC)
                        // Require the user to authenticate with a fingerprint to authorize every use
                        // of the key
                        .setUserAuthenticationRequired(true)
                        .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_PKCS7)
                        .build());
                secretKey = mKeyGenerator.generateKey();
            } catch (NoSuchAlgorithmException | InvalidAlgorithmParameterException
                    | CertificateException | IOException e) {
                Toast.makeText(this,"Create Key "+ e.getLocalizedMessage(), Toast.LENGTH_LONG).show();
            }

The code works fine when fingerprint is registered. This happens only when FaceId is registered. What am I missing here?

abhishek maharajpet
  • 482
  • 1
  • 4
  • 18
  • 2
    Just because a device supports face recognition doesn't automatically mean that it can be used to allow access to keystore keys to third-party applications. For that to be supported, certain requirements have to be met, as specified in [the Android CDD](https://source.android.com/compatibility/10/android-10-cdd). Note that this is beyond your control as an app developer, at least until Android R, which allows you to trust _Weak_ biometrics if you should choose to do so. – Michael Jul 09 '20 at 12:42
  • 1
    @Michael I understand. The error thrown should be wrong because it says at least one biometric must be enrolled (I have already registered Face ID). – abhishek maharajpet Jul 09 '20 at 12:47
  • 1
    How does the same piece of code work when both Fingerprint and FaceId are registered in the same device? – abhishek maharajpet Jul 09 '20 at 12:49
  • 1
    Well, if the face detection on the device you're testing on is considered _Weak_ (which may be the case for pretty much every Android device right now except the Pixel 4), then from the point of the Biometric API you don't have any usable biometrics enrolled. – Michael Jul 09 '20 at 12:51
  • 1
    If there are multiple types of biometrics that could be used, then it's my understanding that the user will be able to select their preferred biometric somehow (e.g. in the Settings app). Your app doesn't really have any control over what is used (except for the _Strong_ vs _Weak_ distinction on Android R). – Michael Jul 09 '20 at 12:55
  • @Michael Is there a way to check if an enrolled biometric is Weak? or we just need to go with the Exception – abhishek maharajpet Jul 09 '20 at 12:55
  • There is a catch here. If the user has enrolled both, he gets a prompt to select any one for authentication. Users can choose FaceId and authenticate, even though it was considered Weak. – abhishek maharajpet Jul 09 '20 at 13:00
  • That's sounds like a bug in the implementation of the BiometricPrompt (or perhaps in an OEM customization). You may want to file a bug report with the responsible company. – Michael Jul 09 '20 at 13:05
  • Got the reason for the bug here, it was due to not passing the crypto object while authenticating with biometric prompt. If passed, the biometric API will not use unsecured biometrics, if the crypto object is not passed, it will show all available biometrics. – abhishek maharajpet Jul 24 '20 at 09:03

1 Answers1

6

Got the issue here. Its all got to do with the setting of .setUserAuthenticationRequired(true)

If this key is set to true while generating a key, that means at least one secure biometric/unlock pin/pattern must be enrolled. Since the key was set to true and only unsecured authentication methods were present, the error At least one biometric must be enrolled to create keys that require user authentication was thrown

Note: Face ID in Samsung is considered unsecured as of now. That was the reason for the above issue

abhishek maharajpet
  • 482
  • 1
  • 4
  • 18