Cancel after error in android biometry

wultra / powerauth-mobile-sdk

PowerAuth mobile SDK adds capability for authentication and transaction signing into the mobile apps (iOS, tvOS, watchOS, Android).

https://www.wultra.com/product/wultra-mobile-security-suite/

Apache License 2.0

33 stars 13 forks source link

Cancel after error in android biometry #422

Closed hvge closed 2 years ago

hvge commented 2 years ago

Investigate whether it's possible to catch an error in Android 9+ BiometricPrompt even when user press cancel after lockout.

Steps to reproduce:

Try to authenticate with biometry.
Try different finger / face to force system to lock biometry out.
When the error is displayed, press cancel button immediately.

The result is that on some devices, it's possible to press cancel and avoid increment of failed authentication counter on the server. The question is whether we can workaround this, or it's just acceptable behavior on some devices.

hvge commented 2 years ago

I can reproduce this on Android 8 device. It seems that androidx.biometric support library doesn't disable "Close" button when too many attempts is reached. So, you have about 2 seconds opportunity to cancel the dialog before the result is reported back to PowerAuth SDK.

hvge commented 2 years ago

I think we can workaround this, because our listener gets onAuthenticationFailed() first and then onAuthenticationError() with error code depending on whether dialog was canceled. So, we can track last failure and ignore subsequent cancel if it's in expected time window.