Allow setDeviceCredentialAllowed to be configurable

[bryvin]

setDeviceCredentialAllowed is required to allow fallback systems (PIN, Pattern, etc) to be used by user's choice. Is there a way we can get this to be configureable?

See here: https://github.com/hieuvp/react-native-fingerprint-scanner/blob/4a22b4dea91b437d6ebdb5f502381df28bcda2be/android/src/main/java/com/hieuvp/fingerprint/ReactNativeFingerprintScannerModule.java#L126

[phillbaker]

Hi @bryvin typically that would mean that a biometric authentication mechanism was not used, which seems to be contrary to the point of this library. If I'm understanding correctly, it means that if a device password is compromised then an actor could authenticate to an app by using this fallback, changing this type of authentication from "what you are" to "what you know".

However, ultimately it's up to application authors to make that design choice/tradeoff and this request is similar to https://github.com/hieuvp/react-native-fingerprint-scanner/pull/82, so it does seem to be (a) possible across iOS and Android and (b) desired.

[bryvin]

While I do understand that, the BiometricPrompt.Builder from Android specifically has this as an option as that is how you would could have a fallback. This library already supports a fallback on iOS so this would more or less bring them to feature parity.

Obviously I would suggest having it false by default and up to the App's developer to allow such authentication.

[phillbaker]

This library already supports a fallback on iOS

To clarify, the current library only supports falling back to a method provided by the app (ie the app password), not an OS-based fallback. https://github.com/hieuvp/react-native-fingerprint-scanner/pull/82 would introduce this functionality for iOS, but it has not been merged.

[bryvin]

Interesting.. so that is what this configuration is for? https://github.com/standardnotes/react-native-fingerprint-scanner#authenticate-description-fallbackenabled--ios

With our app if you fail it Prompts to enter a password, but immediately tries Face ID again. After you fail a few more times it prompts an option to enter Device Passcode.. maybe that is built directly into iOS Face ID support?

Edit: To clarify, after you enter the device Passcode authenticate from react-native-fingerprint-scanner is successful.

[reactnative103]

We need this configurable after that this library becomes fabulous.

[mikehardy]

@reactnative103 in open source "We need this configurable" should be written as "Would you accept a PR to make this configurable?", then propose a PR - by far the fastest way to get resolution, and of course use patch-package in the meanwhile for your project while the PR goes through review + merge etc

[reactnative103]

@mikehardy Thanks for quick reply.

PR already raised and committed code by @bryvin. But no action on this till now

[mikehardy]

@reactnative103 and there are steps listed there to bring it home: https://github.com/hieuvp/react-native-fingerprint-scanner/pull/82#issuecomment-654301684 - anyone can do them I think, could be you? If there is a PR open, that should be the discussion point, looks like this is achievable with a little effort from someone

[bryvin]

@reactnative103 The PR I had submitted has been closed for some time now. But there seems to be a new one issued here: https://github.com/hieuvp/react-native-fingerprint-scanner/pull/125 albeit it doesn't look like the ability is configurable here.

[reactnative103]

@bryvin Thanks for your reply. Please suggest how we can achieve PIN, pattern, and password lock with touch-id. Any solution have you found?

[bryvin]

@reactnative103 To be honest I am a little out of the loop on this now and am no longer working with React Native at all. I do know though that previously in my experience failing enough times with Face ID/Touch would prompt automatically to enter in the PIN but only on the second round of "failing". So essentially failing Face ID enough times, trying again with Face ID and failing again it would then prompt for PIN.

I don't recall if this was a side effect of our app's handling of this behavior or if that was built into the Fingerprint API.

Sorry I can't be of much help!