react-native-keychain
react-native-keychain copied to clipboard
oblador
[question] Device fingerprint change
How do I determine that user has changed (add/remove) fingerprint/touch id/face id?
why do you need this? Users cannot change biometric without passing the existing biometric verification first... so from security point of view, it does not matter, a user is still verified and valid.
P.S. depends on implementation on the device. Samsung just returns unique IDs for each fingerprint, but Huawei for example just returns the order number instead of unique IDs. (or vise versa, did not remember who is doing what correctly). But it's possible to detect.
@OleksandrKucherenko What I meant was that someone could somehow add new fingerprint to our device which means that he can now authenticate in the app. Most of bank applications inform us about such change and requires standard (non biometric) authentication.
I’m not sure if it works but we have “Biometry current set” option. Try to find it in the docs.
I'm using Keychain.ACCESS_CONTROL.BIOMETRY_CURRENT_SET - but it doesn't stop me from getting credentials after changing biometry settings (new fingerprint).
@OleksandrKucherenko android docs says something about setInvalidatedByBiometricEnrollment
// Invalidate the keys if the user has registered a new biometric // credential, such as a new fingerprint. Can call this method only // on Android 7.0 (API level 24) or higher. The variable // "invalidatedByBiometricEnrollment" is true by default.
https://developer.android.com/training/sign-in/biometric-auth#biometric-only
Can we set it somehow?
looks like it is set to true by default? I too would like this feature.
@OleksandrKucherenko android docs says something about setInvalidatedByBiometricEnrollment
// Invalidate the keys if the user has registered a new biometric // credential, such as a new fingerprint. Can call this method only // on Android 7.0 (API level 24) or higher. The variable // "invalidatedByBiometricEnrollment" is true by default.
https://developer.android.com/training/sign-in/biometric-auth#biometric-only
Can we set it somehow?
looks like it is set to true by default. I too would like this feature.
@krutkowski86 @joelnewton
I set the following in CipherStorageBase.java > In the tryGenerateRegularSecurityKey() and tryGenerateStrongBoxSecurityKey() methods,
.setUserAuthenticationRequired(true) .setInvalidatedByBiometricEnrollment(true) .build();
Can you please let me know if it works for you? (assuming you are willing to fork and make changes?)
any update son this topic? I use setInvalidatedByBiometricEnrollment(true) and I can still log in after adding / deleting a fingerprint.
Any news? i've tried to add storage: Keychain.STORAGE_TYPE.RSA but I can still log in after adding / deleting a fingerprint.
The current implementation doesn't support the usage of such feature just adding the flag. As of now the authentication is "time-bound" (setUserAuthenticationValidityDurationSeconds is set to 5 seconds), it means the Cipher can be used "asynchronously" between user authentication and encryption/decryption operations. If you want to setInvalidatedByBiometricEnrollment properly you have to, as per documentation:
setUserAuthenticationRequiredas true ANDsetUserAuthenticationValidityDurationSecondsas no positive value
It basically will produce a key that requires user authentication every time you need to perform an encryption/decryption operation, it means that every time the user authenticates (trough biometry for instance) you have to perform cryptography tasks using the Cipher in a "synch" way.
Using the Cipher in a "synch" way forces you to pass it into a CryptoObject when you authenticate the user.
protected BiometricPrompt authenticateWithPrompt(@NonNull final FragmentActivity activity) {
final BiometricPrompt prompt = new BiometricPrompt(activity, executor, this);
try {
this.storage.getCachedInstance().init(Cipher.DECRYPT_MODE, context.key);
prompt.authenticate(this.promptInfo, new BiometricPrompt.CryptoObject(this.storage.getCachedInstance()));
}
catch (final Throwable fail) {
// any other exception treated as a failure
this.onDecrypt(null, fail);
}
return prompt;
}
Then the same CryptoObject will be returned as result by onAuthenticationSucceeded callback.
@Override
public void onAuthenticationSucceeded(@NonNull final BiometricPrompt.AuthenticationResult result) {
result.getCryptoObject().getCipher()
.......
}
Now the Cipher allows you to perform decryption of data.
Here comes the further limitation of the current implementation: currently both username and password are encrypted/decrypted, but using the above scheme the Cipher is unlocked only for a single operation per user authentication. Probably if we want to switch to this mode we should accept either to do not encrypt username or to merge both username and password in a single token-separated string.
Hi everyone, Since our project requires that whenever the Biometric setting changes (like add/remove a new fingerprint) the biometric config in the app should be removed.
I see that the lib react-native-biometrics can do that. But I think it would be nice if I could stick to this amazing lib.
Any suggestions guys? Thanks
Hi everyone, Since our project requires that whenever the Biometric setting changes (like add/remove a new fingerprint) the biometric config in the app should be removed. I see that the lib
react-native-biometricscan do that. But I think it would be nice if I could stick to this amazing lib. Any suggestions guys? Thanks
i am using react-native-biometrics but also not detect add a new fingerprint
I was trying to get this working on Android with this plugin but could not. react-native-sensitive-info does this out of the box.
It works on Android and throws a Key permanently invalidated error when biometrics are altered in the device settings.
It returns undefined when you retrieve data if you pass kSecAccessControl: 'kSecAccessControlBiometryCurrentSet', when you save data.
