15

we are currently trying to sign data with biometrics, which we use the androidx.biometric library for.

The Problem is, if no Fingerprint ist installed but a face registered we cannot generate any keys.

With Fingerprint only or with the combination of fingerprint and face everything works perfect.

With only the face registered we get the following exception during key generation:

Caused by: java.security.InvalidAlgorithmParameterException: java.lang.IllegalStateException: At least one biometric must be enrolled to create keys requiring user authentication for every use

Before we start the key generation we test the presence of biometric as following:

boolean isAvailable = biometricManager.canAuthenticate() == BiometricManager.BIOMETRIC_SUCCESS;

The Test-Device as a Samsung Galaxy S10 with Android 10.

Thank you for help and best regards

Langohr
  • 217
  • 2
  • 10
  • 4
    IIRC, the face recognition on the Galaxy S10 and some other devices is considered "weak" (as defined by the Android Compatibility Definition Document). So if you're trying to use BiometricPrompt with a CryptoObject on those devices, it will always fall back to using fingerprint instead, at least prior to Android R. If you don't have any fingerprints enrolled then there won't be anything to fall back to, and I guess that's why you're getting that error. Why `canAuthenticate` doesn't consider this when reporting its result I don't know. – Michael May 12 '20 at 13:31
  • 3
    The issue that is mentioned by @Michael can be found here: https://issuetracker.google.com/issues/147374428 – w3bshark Jul 24 '20 at 16:28
  • 1
    @Langohr did you manage to handle this issue? – AlejandroJS Aug 03 '20 at 14:38
  • Sadly no, we now to not offer face auth on the galaxy s10 – Langohr Sep 23 '20 at 06:25
  • I have an idea of a workaround. I haven't tested it yet, since I don't have a device with face recognition at hand. But I think it will work. The point is to try to generate a key using the CryptoObject and wrap the whole thing in try-catch. Use this in addition to the canAuthenticate method. If we get an exception, then we consider that isAvailable == false. – Victor Cold Oct 08 '20 at 05:27
  • Sound like it might work, I have one available (Galaxy S10) and will try your workaround – Langohr Oct 09 '20 at 06:31
  • Any resolution for this issue? – kgandroid Oct 29 '20 at 19:14

1 Answers1

4

Google has updated androidx biometric sdk. If you are going to use strong type authentication in your application.Authentication can be checked for the strong type. If your device is suitable for this, you can create a cryptoObject.

https://developer.android.com/jetpack/androidx/releases/biometric#1.1.0-alpha02

https://developer.android.com/reference/android/hardware/biometrics/BiometricManager#canAuthenticate(int)

val canAuthenticate = BiometricManager.from (context)
.canAuthenticate (BiometricManager.Authenticators.BIOMETRIC_STRONG)

After this check, you can proceed to key generation.

Eniz Bilgin
  • 116
  • 2
  • 4
  • This returns true in my case but I still get the OP's crash when trying to initialize the KeyPairGenerator, on a Pixel 3 XL API 29 emulator. – molundb Sep 29 '22 at 11:14