Why crypto object is needed for Android fingerprint authentication?

Ponsuyambu picture Ponsuyambu · Sep 13, 2016 · Viewed 9.4k times · Source

I have gone through the android finger print sample provided by Google.

https://github.com/googlesamples/android-FingerprintDialog

As I am new to security standards, I am unable to understand the following.

  1. Why we need to use Keystore, key, CryptoObject... etc? Simply It could be like, ask fingerprint manager to authenticate the user and it can simply return the status(success/failed)
  2. Do I need to generate new key every time on each authentication?

Answer

Omar Aflak picture Omar Aflak · Jul 11, 2017

Why we need to use Keystore, key, CryptoObject... etc? Simply It could be like, ask finger print manager to authenticate the user and it can simply return the status(success/failed)

You don't have to. You can make fingerprint authentication without a CryptoObject, just pass a null value. Then won't have to mess with keystore and other stuff.

The only use of a CryptoObject in a Fingerprint Authentication context is to know if a new fingerprint was added since last time the user authenticated via fingerprint.

Do I need to generate new key every time on each authentication?

If a new fingerprint is added, you will have to prompt a password to verify the user's identity and then generate new keys (because they became invalid when the new fingerprint was added).

Again you won't have to mess with these if you pass a null CryptoObject

A matter of point of view

Fingerprint authentication doesn't require a CryptoObject, in fact it's quite the opposite.

When you make cryptographic operations on Android, you can use one of these objects : Cipher, Signature, Mac (and others). One of these three can be used to build a CryptoObject.

When you generate keys for these objects, there is a method nammed setUserAuthenticationRequired(boolean) which manages to get the keys valids only if the user has authenticated via fingerprint before.

Thus, in case of a client/server communication for instance, if the client can use the keys, it means he authenticated via fingerprint and his identity is known.

That said, you might want to check my library which makes the whole thing a lot easier :

https://github.com/OmarAflak/Fingerprint