Feature request : Invalidate password on enrollment
Pima-Dev opened this issue · comments
This capacitor plugin is missing an important security option which should allow to invalidate password when a new biometric is added or removed. This option is available in https://github.com/niklasmerz/cordova-plugin-fingerprint-aio#optional-parameters-2 with the name invalidateOnEnrollment.
This is actually an issue because on Android the encryption key (used to encrypt/decrypt) username and password can be retrived without being biometrically authenticated, this means that you don't technically need to call verifyIdentity
before getting/setting/deleting credentials. (although I highly recommend it)
See my ticket for more information: #80
I'll be submitting a pr soon to address this (as a breaking change) to set the credentials to require auth and be invalided on biometric enrollment/removal.