Possible Usage

[boredom2]

Hello,

I admit, I dont have a deep knowledge about Encryption Techniques, but I would like to ask the following:

• with this Fingerprint Plugin, I can confirm, that the loggedin User IS the loggedin User, that has valid Fingerprints on the device.
• I would like to know, if there is a way to use this Technique as "Login" Replacement. For this, I dont need to know, if the User is loggedin in the device, I must know, which user he is for the App.
• That would mean, I need some way to store some information (hash, key, whatever) the first time, the user authenticates. If the user wants to login with Fingerprint, whatever I get from the successfull Login, must be compared to the initially stored value.
• For sure, this shouldnt be the Fingerprint itself :) But some kind of always-identical Token, Hash or anything similar. As far as I understand, this is not possible with the current API? I do get a Hash in return, but its never identical and therefore, not suitable for this approach.

Thanks! Christoph

[mjwheatley]

I will have to double check, but if I remember correctly the plugin returns an encrypted token upon successful fingerprint authentication that is generated using the clientSecret parameter provided with the method call. The encrypted token should be the same every time (that is what I need to verify, that the same Cipher instance is used).

1. Yes, The plugin confirms that a person has enrolled fingerprints on the device.
2. You will need to prompt for some sort of user ID if you want your app to support multiple users.
3. Yes you will need to have a user log in first, validate, then store the encrypted token for subsequent validations.
4. See below
   • You may use a different clientSecret per user. I would suggest concatenating a static clientSecret with a userId to generate a unique token that can be used to identify and authenticate a user.
   • You would need to store that token with the user profile on your Accounts server.
   • A user will first need to identify them self so that you can retrieve the userId to create the same clientSecret and generate the same encrypted token upon successful validation.
   • Any fingerprint enrolled on the device will be able to authenticate for that user.
   • The cipher used is unique per device, so the encryption token generated will not be the same between devices.

[boredom2]

Hi there,

thanks for your detailed answer. I do completely agree - if I would get always the same signed Hash back from Login with Fingerprint, this would be clear. But currently, the Method always returns different base64_encoded Values, so there is not much I could do with it - at least not for that purpose...

[thezachcannon]

I am having the same issue the method always returns a different base64_encoded value for the same fingerprint. Any help @mjwheatley?

[mjwheatley]

This plugin was not designed to be a Login replacement. It can not differentiate between user fingerprints. It only reports if the user authenticated against a fingerprint enrolled on the device. Currently, the plugin will always return a different base64_encoded value.

I was never sure what the purpose of the returned encrypted token was for. This plugin was based off this sample project: https://developer.android.com/samples/FingerprintDialog/src/com.example.android.fingerprintdialog/MainActivity.html

I would have to do some research on how to use the clientId, clientSecret, Keystore, SecretKey, and Cipher all together to try and return a unique token consistently.
https://developer.android.com/reference/javax/crypto/Cipher.html Currently the Cipher is being initialized every time so that may be what is encrypting the clientSecret differently every time.

There might be something with Cipher.ENCRYPT_MODE and Cipher.DECRYPT_MODE You could have an enroll flow where you would provide a username:password and upon successful authentication the plugin could return an encrypted token representing the username and password. Then for login, you could pass the same token back to the plugin. After successful authentication the plugin would decrypt the token and return the username:password.

It would take some trial and error and I don't know how much time I can spare to work on it. If anyone feels up to the task I would appreciate the help.

[mjwheatley]

Feature added to version 1.1.0