I have gone through the android finger print sample provided by Google.
https://github.com/googlesamples/android-FingerprintDialog
As I am new to security standards, I am unable to understand the following.
Why we need to use Keystore, key, CryptoObject... etc? Simply It could be like, ask finger print manager to authenticate the user and it can simply return the status(success/failed)
You don't have to. You can make fingerprint authentication without a CryptoObject
, just pass a null
value. Then won't have to mess with keystore and other stuff.
The only use of a CryptoObject
in a Fingerprint Authentication context is to know if a new fingerprint was added since last time the user authenticated via fingerprint.
Do I need to generate new key every time on each authentication?
If a new fingerprint is added, you will have to prompt a password to verify the user's identity and then generate new keys (because they became invalid when the new fingerprint was added).
Again you won't have to mess with these if you pass a null
CryptoObject
Fingerprint authentication doesn't require a CryptoObject, in fact it's quite the opposite.
When you make cryptographic operations on Android, you can use one of these objects : Cipher, Signature, Mac (and others). One of these three can be used to build a CryptoObject.
When you generate keys for these objects, there is a method nammed setUserAuthenticationRequired(boolean)
which manages to get the keys valids only if the user has authenticated via fingerprint before.
Thus, in case of a client/server communication for instance, if the client can use the keys, it means he authenticated via fingerprint and his identity is known.
That said, you might want to check my library which makes the whole thing a lot easier :