How to use android biometrics with firebase email authentication?

Question

I'm trying to use firebase email authentication and enable biometrics.

The solution I am able to come to is:

1. enable biometrics and get the fingerprint token
2. encrypt the user's username+password with this token
3. store the encrypted username+password in app storage
4. when user authenticates using biometrics, app decrypts stored username+password and logs in firebase.

The issue is of-course the difficult choice of storing encrypted username+password locally.

Is there any better alternative like

• saving an encrypted firebase token instead of username+password?
• saving the token in a server?

How do professional apps do it with firebase?

Answer 1

Use Symmetric & Asymmetric keys concept with Android keystore

Follow the Salesforce Mobile SDKs strategy in using the Android Keystore (more details here:https://developer.salesforce.com/docs/atlas.en-us.mobile_sdk.meta/mobile_sdk/auth_secure_key_storage_android.htm)

To summarize the steps :

1. The application upon installation and first run creates an asymmetric key pair and a symmetric key
2. The application stores the asymm. keys in the Android Key Store. Key Store access is granted only when the user unlocks phone (e.g. w/ pin code or biometrics. this step is optional. you can do it without this step)
3. The application encrypts the symmetric key with the public part of the asymm key pair and stores that in shared preferences
4. It is the symmetric key that is used to encrypt/decrypt the Firebase token or username + password whichever you want to use
5. To access the encrypted symmetric key, the app has to first obtain the private key from the Android Key Store, decrypt the symmetric key and then use it.