search

codenameone / CodenameOne

Cross-platform framework for building truly native mobile apps with Java or Kotlin. Write Once Run Anywhere support for iOS, Android, Desktop & Web.
https://www.codenameone.com/
Other
1.71k stars 408 forks source link

FaceID is never found when Fingerprint.TouchID is not added to the device [Android only] #3563

Open plumberg opened 2 years ago

plumberg commented 2 years ago

Describe the bug Issue related to the Fingerprint library (https://github.com/codenameone/FingerprintScanner) When no fingerprint TouchID is added to the device, the isFaceIDAvailable() always returns false, even if it was added to the device in device settings. If TouchID was added to the device, then FaceID is available too.

To Reproduce Add the following code sample:

if (Display.getInstance().getPlatformName().equals("and")) {
            Log.p("This is Android");
            if (Fingerprint.isTouchIDAvailable()) {
                Log.p("Fingerprint Unlock");
            } else {
                Log.p("iTouchID NOT Available");
            }

            if (Fingerprint.isFaceIDAvailable()) { 
                CN.setProperty("FingerprintScanner.showDialogOnAndroid", "false");
                Log.p("Face Unlock");
            } else {
                Log.p("Face Unlock not found");
            }
}

Expected behavior The library must recognize when only Face recognition was added, and no fingerprint are stored on the device.

Smartphone (please complete the following information):

shannah commented 2 years ago

A link to our android code for checking available auth types

I think this thread may shed some light.

The face recognition from Samsung is using the front camera which is not considered a secure biometric. This is what the docs say:

Feature for getSystemAvailableFeatures and hasSystemFeature: The device has biometric hardware to perform face authentication.

... Like I said, Samsung is using the front camera for face recognition and therefore is not secure. This is why you have to specifically set it to BIOMETRIC_WEAK. ... However I'd advice not to use this as this is not secure at all! Always use strong biometrics unless you have a good reason to use this.

This explanation sounds plausible as, before it checks what kind of biometric auth methods are available, it checks first to see if there is a secure authentication method. When you add a fingerprint, it causes it to satisfy that check.

There are a couple of ways to go here:

  1. Enable "WEAK" authentication methods (described in the same SO thread linked above), which should cause the face ID available to show up even when no fingerprints are enrolled. This is probably a bad idea on its own, as it might open serious security holes, and some of the people who use this library are banks and such, so security is paramount.
  2. Prevent faceID from riding the coat-tails of fingerprints. (I.e. make FaceID always return false). Then find a more explicit way to authenticate with "weak" authentication methods.