Why do I get "Key user not authenticated" after removing a fingerprint from Pixel phone?

Question

Summary

On my Pixel 4a I cannot use a cryptographic key any longer after removing a fingerprint in the Android settings.

Details

To enhance my app's security I want to have its signing key invalidated once any biometric features (e. g. fingerprints) are changed on the phone. Therefor I set setInvalidatedByBiometricEnrollment(true) when generating the key:

KeyPairGenerator.getInstance(
    KeyProperties.KEY_ALGORITHM_EC,
    "AndroidKeyStore"
).apply {
    initialize(
        KeyGenParameterSpec.Builder(alias, PURPOSE_SIGN)
            .setAlgorithmParameterSpec(ECGenParameterSpec("secp256r1"))
            .setDigests(DIGEST_SHA256)
            .setUserAuthenticationRequired(true)
      --->  .setInvalidatedByBiometricEnrollment(true)  <---
            .setIsStrongBoxBacked(true)
            .build()
    )
}
    .generateKeyPair()

When an additional fingerprint is enrolled

A KeyPermanentlyInvalidatedException will be thrown on any attempt to use the cryptographic key after adding an additional fingerprint. This is expected behavior and I observed it on all devices that I have tested on (two Samsung Galaxy, Pixel 4a).

When a fingerprint is removed

When one of the existing biometric feature (not the only one) is removed , then I observe two different behaviors:

correct Samsung Galaxy phones (Android 11/12)

The cryptographic key remains usable. This is expected as complies with the docs and removing a fingerprint does not compromise security.

buggy Google Pixel 4a (Android 11/12/13)

On the Pixel 4a, the cryptographic key is rendered unusable when a fingerprint is removed. Any subsequent attempt to use the key (e.g. for signing) will result in an exception of the following type:

android.security.KeyStoreException: Key user not authenticated

According to Issue 215575432 this also happens on a Pixel 5. Even deleting and recreating the cryptographic key does not help.

Workarounds

To my knowledge, there are two ways to recover from this situation (ordered by descending convenience):

Reboot the device, then recreate the key
Remove all biometric features, then recreate the key

Test App

I've made a sample app to test this: https://github.com/Landschaft/keyInvalidationTest . Try it on your Android device to see how it behaves.

The Request

While this strongly seems like a bug on Pixel phones, I would be glad to hear if someone could point out what I'm doing wrong, or if anyone experiences the same or similar issues.

Seeing this same exact situation in my app on my Pixel 4a. I had figured out workaround #2 -- thank you for pointing out workaround #1! The latter strikes me as a little less onerous way for a user to remedy the situation. — Bruce Geerdes, May 18 '22 at 23:03
I've been banging my head with this issue and I can reproduce this exactly like you described it.. EXCEPT that recreating the key (by removing it from the keystore and adding it back in) does nothing. Basically, it remains broken until I restart the device. Checking on a Pixel 4a running Android 13 and I'm out of ideas on how to fix this — Jay Sidri, Apr 05 '23 at 03:05