Allow possibility to disable face unlock on Android

Question

Allow possibility to disable face unlock on Android

eblis opened this issue 2 years ago · comments

It would be nice if you could select which authentication methods are allowed, at least on Android systems.
Some Android vendors allow both fingerprint and face unlock, but certain sensible applications, like Bitwarden shouldn't allow login via face, just by fingerprint.

An option in the code to select if you want strong authentication (fingerprint) or weak authentication (face) would be very nice.

This is a very requested feature in Bitwarden and as far as i can tell Bitwarden uses this plug-in for cross platform authentication.

smsissuechecker · Answer 1 · Tue Nov 01 2022 21:30:39 GMT+0800 (China Standard Time)

Hi @eblis,

I'm the friendly issue checker.
It seems like (100.00 %) you haven't used our issue template 😢 I think it is very frustrating for the repository owners, if you ignore them.

If you think it's fine to make an exception, just ignore this message.
But if you think it was a mistake to delete the template, please close the issue and create a new one.

Thanks!

DarkIrata · Answer 2 · Wed Nov 02 2022 15:53:35 GMT+0800 (China Standard Time)

Hi!,
As far as i found it is not possible to set the Biometric Prompt type for the new API.
Here is a google issue tracker, tracking that request
https://issuetracker.google.com/issues/111315641

The only workaround would be implementaing the old FingerprintManager. While deprecated, it still is functional enough fir this purpose. Better explanation is here
https://stackoverflow.com/a/52927192

eblis · Answer 3 · Wed Nov 02 2022 16:45:10 GMT+0800 (China Standard Time)

Does allowing just BIOMETRIC_STRONG allow both face and fingerprint unlock ? I assumed that only fingerprint would be STRONG, whereas face unlock would be WEAK, but I haven't tested this yet (not sure how).

DarkIrata · Answer 4 · Wed Nov 02 2022 16:56:25 GMT+0800 (China Standard Time)

https://developer.android.com/reference/android/hardware/biometrics/BiometricManager.Authenticators#summary
Looks like it depends on the device

eblis · Answer 5 · Wed Apr 12 2023 17:31:58 GMT+0800 (China Standard Time)

I would say that most devices implement this correctly and would be a nice addition.
Also, even if they do not implement this correctly it wouldn't do any harm, so it would still be a nice addition, no ?

DarkIrata · Answer 6 · Wed Apr 12 2023 18:05:04 GMT+0800 (China Standard Time)

I wouldn't say that. Even Samsung likes to have non-standard implementations (but I am not aware of anything in the area of biometric authentication so far). Huawei, for example, does not display any text on the prompts, even if I write the biometric authentication from zero.

I'm not against the feature either, I find the implementation okay for the most part, BUT without testing I find that more critical to take in productively when it's opt-out. Does it trows an error which needs to be handled specialy? Do the enduser just needs to reregister his fingerprint? It should also be tested against different API levels, so that there are no problems already when setting the flags.

When it comes to security, it should be tested, especially if it could change the behavior.

eblis · Answer 7 · Wed Apr 12 2023 18:07:11 GMT+0800 (China Standard Time)

On the Samsung device I've seen the current implementation offers fingerprint unlock by default, and only if you want it switches to face unlock.
But on my personal phone, a Realme, only face unlock is available with the current implementation.