[question] Device fingerprint change

[krutkowski86]

How do I determine that user has changed (add/remove) fingerprint/touch id/face id?

[OleksandrKucherenko]

why do you need this? Users cannot change biometric without passing the existing biometric verification first... so from security point of view, it does not matter, a user is still verified and valid.

P.S. depends on implementation on the device. Samsung just returns unique IDs for each fingerprint, but Huawei for example just returns the order number instead of unique IDs. (or vise versa, did not remember who is doing what correctly). But it's possible to detect.

[krutkowski86]

@OleksandrKucherenko What I meant was that someone could somehow add new fingerprint to our device which means that he can now authenticate in the app. Most of bank applications inform us about such change and requires standard (non biometric) authentication.

[koyta]

I’m not sure if it works but we have “Biometry current set” option. Try to find it in the docs.

[krutkowski86]

I'm using Keychain.ACCESS_CONTROL.BIOMETRY_CURRENT_SET - but it doesn't stop me from getting credentials after changing biometry settings (new fingerprint).

[krutkowski86]

@OleksandrKucherenko android docs says something about setInvalidatedByBiometricEnrollment

// Invalidate the keys if the user has registered a new biometric // credential, such as a new fingerprint. Can call this method only // on Android 7.0 (API level 24) or higher. The variable // "invalidatedByBiometricEnrollment" is true by default.

https://developer.android.com/training/sign-in/biometric-auth#biometric-only

Can we set it somehow?

[joelnewton]

looks like it is set to true by default? I too would like this feature.

@OleksandrKucherenko android docs says something about setInvalidatedByBiometricEnrollment

// Invalidate the keys if the user has registered a new biometric // credential, such as a new fingerprint. Can call this method only // on Android 7.0 (API level 24) or higher. The variable // "invalidatedByBiometricEnrollment" is true by default.

https://developer.android.com/training/sign-in/biometric-auth#biometric-only

Can we set it somehow?

looks like it is set to true by default. I too would like this feature.

[jambanagar]

@krutkowski86 @joelnewton

I set the following in CipherStorageBase.java > In the tryGenerateRegularSecurityKey() and tryGenerateStrongBoxSecurityKey() methods,

.setUserAuthenticationRequired(true) .setInvalidatedByBiometricEnrollment(true) .build();

Can you please let me know if it works for you? (assuming you are willing to fork and make changes?)

[warrioru]

any update son this topic? I use setInvalidatedByBiometricEnrollment(true) and I can still log in after adding / deleting a fingerprint.

[amircoh]

any update please it's urgent!

[tieorange]

Bump. Having the same issue

[husainkantawalaFS]

any updates ?

[imdaniele]

Same issue here

[armibit]

Any news? i've tried to add storage: Keychain.STORAGE_TYPE.RSA but I can still log in after adding / deleting a fingerprint.

[MosCD3]

same here .setInvalidatedByBiometricEnrollment(true) doesn't seem to work

[mpatafio]

The current implementation doesn't support the usage of such feature just adding the flag. As of now the authentication is "time-bound" (setUserAuthenticationValidityDurationSeconds is set to 5 seconds), it means the Cipher can be used "asynchronously" between user authentication and encryption/decryption operations. If you want to setInvalidatedByBiometricEnrollment properly you have to, as per documentation:

• setUserAuthenticationRequired as true AND setUserAuthenticationValidityDurationSeconds as no positive value

It basically will produce a key that requires user authentication every time you need to perform an encryption/decryption operation, it means that every time the user authenticates (trough biometry for instance) you have to perform cryptography tasks using the Cipher in a "synch" way.

Using the Cipher in a "synch" way forces you to pass it into a CryptoObject when you authenticate the user.

protected BiometricPrompt authenticateWithPrompt(@NonNull final FragmentActivity activity) {
    final BiometricPrompt prompt = new BiometricPrompt(activity, executor, this);
    try {
      this.storage.getCachedInstance().init(Cipher.DECRYPT_MODE, context.key);
      prompt.authenticate(this.promptInfo, new BiometricPrompt.CryptoObject(this.storage.getCachedInstance()));
    }
    catch (final Throwable fail) {
      // any other exception treated as a failure
      this.onDecrypt(null, fail);
    }
    return prompt;
  }

Then the same CryptoObject will be returned as result by onAuthenticationSucceeded callback.

 @Override
  public void onAuthenticationSucceeded(@NonNull final BiometricPrompt.AuthenticationResult result) {
    result.getCryptoObject().getCipher()
    .......
  }

Now the Cipher allows you to perform decryption of data.

Here comes the further limitation of the current implementation: currently both username and password are encrypted/decrypted, but using the above scheme the Cipher is unlocked only for a single operation per user authentication. Probably if we want to switch to this mode we should accept either to do not encrypt username or to merge both username and password in a single token-separated string.

[anhquan291]

Hi everyone, Since our project requires that whenever the Biometric setting changes (like add/remove a new fingerprint) the biometric config in the app should be removed. I see that the lib react-native-biometrics can do that. But I think it would be nice if I could stick to this amazing lib. Any suggestions guys? Thanks

[hraschan]

Are there any updates on this?

[Daohai122]

Hi everyone, Since our project requires that whenever the Biometric setting changes (like add/remove a new fingerprint) the biometric config in the app should be removed. I see that the lib react-native-biometrics can do that. But I think it would be nice if I could stick to this amazing lib. Any suggestions guys? Thanks

i am using react-native-biometrics but also not detect add a new fingerprint

[gabk17]

react-native-biometrics does not do it currently, how can that be fixed ?

[satheeshwaran]

I was trying to get this working on Android with this plugin but could not. react-native-sensitive-info does this out of the box.

It works on Android and throws a Key permanently invalidated error when biometrics are altered in the device settings.

It returns undefined when you retrieve data if you pass kSecAccessControl: 'kSecAccessControlBiometryCurrentSet', when you save data.