Mobile Authentication With Biometric (Fingerprint or Face) In Android

An Introduction of Biometric Authentication

Biometric is the technical term for human body measurements and calculations. It measures human characteristics. Biometrics authentication is used in computer science as a form of access control and authentication. It is also used to identify individuals in groups of people that are under surveillance.

Biometric authentication and identification is unique, they are more dependable in verifying identity than token and knowledge-based methods; but, the collection of biometric identifiers raises privacy related to the ultimate use of this information.

Figure-1.0  Biometric System Diagram.

The block diagram illustrates the modes of a biometric system.

In verification or authentication mode the system performs a one-to-one comparison of a captured biometric with a specific template stored in a biometric DB in order to verify the separate is the person they claim to be. Three steps are in the verification of a person. In the first step, reference models for all the users are generated and stored in the model DB.

In the second step, some samples are matched with reference models to generate the genuine and pretender scores and calculate the threshold. The third step is the testing step. This process use a smart card, username or ID number (e.g. PIN) to indicate which template should be used for check. Positive authentication and identification is a regular use of the verification mode, where the aim is to prevent multiple people from using the identity.

Android Biometric Architecture

The BiometricPrompt API covers all biometric authentication like, face, finger, and iris.

The two new APIs introduced the old FingerprintManager that was used for handling fingerprint biometrics on Android devices. Particularly, the FingerprintManager class was deprecated in API level 28. The flow diagram across android versions can be seen above, the original image can be found in the Android Developer documentation here.

The developer documentation is here: All biometric implementations must meet security specifications as per documentation and have a strong rating in order to participate in the BiometricPrompt class”. For more guidelines, you can see google documentation here and here.

The BiometricPrompt class covers a companion Builder class that can be used to configure and create BiometricPrompt class instances, as well as defining the text that is to seem within the biometric identification and authentication dialog and the customization of the cancel button that appears in the dialog.

Set of authentication callbacks that are assigned by BiometricPrompt class instances. Which provides the app with results of authentication different operations. A CancellationSignal class instance is also used to authorize the app to cancel the authentication while it is in process.

Fingerprint is only available on devices which contain a touch sensor and on which the acceptable configuration has been taken to make secure the device and register at least one fingerprint.

Biometric factors permite for secure authentication on the Android platform. The Android framework covers face and fingerprint biometric authentication.

Android can be customized to support other forms of biometric authentication lik Iris. All biometric authentication or identification implementations must meet security requirements and have a strong rating in order to participate in the BiometricPrompt class. Biometrics authentication is measured with the Imposter Accept Rate (IAR) and Spoof Accept Rate (SAR).

Here are the steps to implement BiometricPrompt Compat:

1) Set Permission on manifest.xml file.

2) Set androidx.biometric dependency to app level build.gradle file:

3) Create BiometricPrompt instance:

Before we go into details of the code, let’s see the responsibility of BiometricPrompt class from documentation:

A class that manages a system-provided biometric prompt. System will show authentication messages on latest devices android 9 Pie and above. On devices before Android 9 Pie, this will show a dialog prompting for fingerprint authentication. The prompt will continue across orientation changes unless explicitly canceled by the user. For security risk, the prompt will dismiss when the activity is no longer in the foreground.

BiometricPrompt class is not only limited to fingerprint authentication, which is great!

Let’s create all require parameters:

4) Create BiometricPrompt.PromptInfo instance:

When we call the biometricPrompt.authenticate() method, we need to send the instance of BiometricPrompt.PromptInfo. We can create instances of BiometricPrompt.PromptInfo using BiometricPrompt.PromptInfo.Builder.

In these parameters subtitle and description are optional, so you can skip those parameters. You might have a question: what’s the purpose of negative button text?

As per the documentation, a “Cancel” button is usually used for negative buttons, but may be also used to show another method for authentication, such as screen that asks for a backup password or other login prompt method like application PIN or Pattern. You can use onAuthenticationError() method of callback as below to handle error code.

If you would like to check in details for more understanding you can find more about error codes from here.

5). Start authentication:

In this last step, using BiometricPrompt class install you can call authenticate() method and pass BiometricPrompt.PromptInfo class instance we built in previous step:
You can cancel the authentication by calling below method :
Above image is how biometric prompt view like on Android 7.0 (left) and Android 9.0 (right)

As we have integrated it’s easy, As Google provided the system authentication prompt using a device’s supported biometric and as you can see, it is easy to integrate.

Biometric HAL guidelines are as there to ensure that biometric data is not leaked and is removed when a user is removed from a device:

• First, we need to make sure that raw biometric data or derivatives such as templates are never accessible from outside the sensor driver or secure isolated environment such as the TEE or Secure Element.
• If the hardware supports it, limit hardware access to the secure separate environment and protect it with an Linux policy. Make the communication channel such as SPI and I2C accessible only to the secure single environment with an SELinux policy on all device files.
• Biometric acquisition, enrollment, and recognition must occur inside the secure separate environment to protect data breaches and other attacks. This requirement only applies to strong biometrics.
• Biometric data store only the encrypted form or derivatives on the file system.
• To protect against replay attacks, sign biometric templates with a private, device-specific key. For Advanced Encryption Standard (AES), at a minimum sign a template with the absolute file-system path, group, and biometric ID such that template files are inoperable on another device or for anyone other than the user that enrolled them on the same device. such as , not allowing copying biometric data from different users on the same device or other device.
• When a user is removed, remove all template data also and Use the file-system path provided by the set_active_group()function, It’s recommended that biometric template files be stored as encrypted in the path provided. If this is impossible due to the storage requirements of the secure single environment, to ensure removal of the data need to add hooks when the user is removed or the device is wiped.

How can biometric authentication improve mobile security?

A strong authentication of mobile strategy should encompass a biometric factor, and it should examine implementing such a factor into a multifactor authentication process.

There are some methods used in modern mobile devices to authenticate users to a locked device.

Mobile authentication should provide the simplicity to use and security for organization; it’s important for the user, and biometric authentication in android devices offers this balance in a single factor.

Traditional mobile authentication

To access their device authentication method is used as a standard password for this user to enter letters, numbers and symbols.this is simple to use until users don’t forget their passcodes. But it does not provide strong protection because users use the same passcode for multiple devices or other logins.

Passcodes are easy for hackers to crack, and they’re capable of shoulder surfing — it might be possible for someone determining the passcode by simply looking over the user’s shoulder.

Another mobile authentication method is the action pattern. In this case, users recreate certain patterns by dragging their fingers across the screen. The action pattern is more awkward for users than passcodes; this is especially true as the patterns become more complex. Action patterns are more secure than passcodes, but the general security of this method depends on the pattern’s complexity. Shoulder surfing might be possible in action patterns, and users may leave marks on the screens from repeatedly entering the same pattern.

In Mobile, providing secure authentication is the key. The best secure option is security key in mobile authentication, mobile devices can read small tokens with a Bluetooth or near fields communication scan. The Best thing is that Security keys can log users on to their devices and applications without requiring any passcode or action pattern inputs from the users. Hackers can not reuse and users can not share because Security Key uses public and private credentials. End users require their security keys when they try to access their devices. but Users can lose or temporarily misplace the keys, which leaves open the possibility of a hacker stealing a key and accessing a device freely.

Biometric authentication factors

Biometric identification and authentication depends on unique biological attributes, such as a fingerprint, an iris, a face or even a heartbeat. These attributes are much more difficult for hackers and criminals to exploit because they’re unique to each individual.

Today’s biometric identification and authentication systems cover checks to verify that the biometric elements aren’t coming from video or audio recordings as well.

With biometric authentication and identification for mobile devices, users don’t have to remember passcodes or action patterns, and they don’t have to carry around security keys. It’s easy for users to authenticate to their devices at any time. Biometric authentication also has risks as like any other mobile authentication method. In Biometric authentication such as potential false positives or compromised digital image files. Once a hacker steals a biometric image, that biometric factor is compromised constantly; if those images are stolen then users cannot change their fingerprints or faces. As of now both Google Android and Apple iOS devices are provided built-in mechanisms to protect biometric data, but still that doesn’t guarantee the devices will remain impenetrable forever. Contact Now!