I'm trying to limit the authentication to only allow fingerprint through on my device and not pin or pattern. On a phone device at least I don't believe pin/pattern to be secure as parents are always giving out the pin to their children and pattern leaves a smudge on a dirty screen meaning it's easily visible in the correct light (and also given out to children).

I was hoping the UVM extension would be able to help but it returns the same flags (fingerprint, pin, pattern) every time, no matter which verification method I've used. This is blocking me implementing passwordless authentication on my site (credit cards (PCI compliant) are stored so future purchases are simpler). Is that intended or a bug?

Hi,

This is work as intended. On Android P and earlier, we have implemented a custom fingerprint flow and can conclusively say fingerprint was used on when the user uses that flow. However, on Q+, we rely on the framework to authenticate the user in all cases, using whatever method the user chooses. On Android devices today, that is either fingerprint, passcode, or face id. Unfortunately, the framework does not expose the information on which method was used. Therefore, the value that you see is the logical OR of the bits defined in the specification [1].

[1] https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-registry-v2.0-id-20180227.html#user-verification-methods