How to resolve ''DeviceLockedPermanent''

[aaroncornelissen]

I updated the library from v4 to v6.0.0 in my app. I am now using the new android API to use fingerprint for login. During the testing process I entered my fingerprint to many times incorrectly, now my fingerprintscan does not work anymore. I am now constantly getting a DeviceLockedPermanent error.

In the android docs (https://developer.android.com/reference/androidx/biometric/BiometricPrompt#ERROR_LOCKOUT_PERMANENT) is written: Biometric authentication is disabled until the user unlocks with strong authentication (PIN/Pattern/Password).

My question is: How can I trigger the ''strong authentication" to resolve the DeviceLockedPermanent error. Uninstalling the app does not work, only a complete simulator reset.

[mikehardy]

Looks like this system API, with true to allow for device credentials (non-biometric) would do it https://developer.android.com/reference/androidx/biometric/BiometricPrompt.PromptInfo.Builder#setDeviceCredentialAllowed(boolean)

Attempt it by altering this line here directly to true and testing: https://github.com/hieuvp/react-native-fingerprint-scanner/blob/910e563bb55b22829056d728273d81bf035a81f3/android/src/main/java/com/hieuvp/fingerprint/ReactNativeFingerprintScannerModule.java#L129

If it works you may either persist that change with patch-package https://github.com/ds300/patch-package so it works in your project immediately, or perhaps propose exposing that as a new optional parameter starting here https://github.com/hieuvp/react-native-fingerprint-scanner/blob/910e563bb55b22829056d728273d81bf035a81f3/src/authenticate.android.js#L41 and plumbed through to the native method linked first, allowing callers to toggle it on or off ?

[aaroncornelissen]

@mikehardy thanks for your message.

I've tried your possible solution, but it didn't work. After entering +/- 20 times wrong credentials reopening the biometricprompt is not possible anymore. I think your suggested change has do to with it, but I think there also have to be an event that tells android that the alternative strong login succeeded.

[mikehardy]

@aaroncornelissen to "active listen" (to make sure I understand) and guess a bit:

• I think you meant: you added the call to the native Android SDK API call BiometricPrompt.setDeviceCredentialAllowed(true) ?
• I think you meant: you are in a 'DeviceLockedPermanent' state with regard to biometrics on this device for this app? (after approx 20 fails)
• here is the guess: now you can authenticate at least, but it's with device credential always, biometric is still not allowed?

If so, I think there is a little progress but obviously not ideal yet.

I saw a reference in AOSP source code to BiometricManager.resetLockout (https://android.googlesource.com/platform/frameworks/base/+/master/core/java/android/hardware/biometrics/BiometricManager.java) which seems like it would do the trick, but I'm not sure where you get the token it needs (presumably as a return value from a non-biometric unlock?) or how to call that API.

Searching hasn't been fruitful so far but there was a mention of holding a wake lock until a hardware service finished a timeout (as in, the hardware service may allow more failures after X amount of time) so perhaps simply waiting after X failures is sufficient to avoid permanent lockout

As a possible workaround, if biometric locks out after 20 times (!) perhaps the app could use async-storage and after 3-5 failed attempts (tracked via async-storage) it could switch to fallback PIN allowed, then after a couple more it could warn the user strongly to not use biometric etc ? Just brainstorming