IssueTracker

For Samsung devices having iris sensor like S8, if the user sets iris as his preferred biometric, it works well with current biometricPrompt.
But, the error code delivered from onAuthenticationError callback is very weird.
E.g., if the sensor is hard to detect user's iris since the face is so close, then the ERROR_HW_NOT_PRESENT is returned.
So, this issue needs to be resolved also. Since I'm thinking that Samsung iris meets the CDD requirements, at least, the application can use iris properly.

shinkieun@ could you file a new bug for that? A bugreport (adb bugreport foo.zip) and repro steps will be needed

Are you able to open public (view and/or comment) access to that spreadsheet so we can see what devices are included?

Thanks!

> For Samsung devices having iris sensor like S8, if the user sets iris as his preferred biometric, it works well with current biometricPrompt.

It's not actually true. In my tests, it will prompt you to scan your finger rather than scan your face, even though system settings asked for face scan. Also, we can observe the UserNotAuthenticatedException happening under the hood. S8, S9, S10 all have it.

I'm using androidx.biometric:biometric:1.0.0-rc01, and I'm having trouble with all my Samsung devices:
Samsung Galaxy A20e (Android 9, latest update)
- Fingerprint: Works fine
- Face recognition: android.security.KeyStoreException: Key user not authenticated

Samsung Galaxy Note8 (Android 9, latest update)
- Fingerprint: Works fine
- Iris: Works fine
- Face recognition: android.security.KeyStoreException: Key user not authenticated

Samsung Galaxy S9 (Android 9, latest update)
- Fingerprint: Works fine
- Iris: Works fine
- Intelligent Scan: Works fine
- Face recognition: BiometricPrompt.ERROR_NO_BIOMETRICS in onAuthenticationError in BiometricPrompt.AuthenticationCallback()

Samsung Galaxy S10 (Android 9, latest update)
- Fingerprint: Works fine
- Face recognition: BiometricPrompt.ERROR_NO_BIOMETRICS in onAuthenticationError in BiometricPrompt.AuthenticationCallback()

I don't understand how Samsung can use other than fingerprint on Android 9 when this page: https://source.android.com/security/biometric clearly states that Android 9 includes fingerprint integration for BiometricPrompt only.

Samsung confirmed to me this:

"From Android 10, Preferred biometric will be removed. BiometricPrompt will always show Fingerprint authentication by default.

The current plan to roll out Android 10 is late this year or early next year."

Basically, the original plan was to let the end user chose his preferred biometric method, but (copying Apple) Google now goes for either fingerprint or Face ID. E.g. the new Pixel 4 is Face ID only.

Project: platform/frameworks/support
Branch: androidx-master-dev

commit e0ddc6a9ef6fcb8a8a97817220ebaa5297fafb31
Author: Curtis Belmonte <curtislb@google.com>
Date:   Tue Oct 08 11:02:50 2019

    Add device list to dismiss fingerprint dialog instantly
   
    Introduces a list of device models for which FingerprintDialogFragment
    should be dismissed immediately on receiving an error or cancel signal.
    This makes for a better user experience on devices that, for example,
    provide custom overlays during fingerprint authentication.
   
    Test: Manually, using crypto-bound key demo in support demo app
    Bug: 142150327
    Change-Id: Ic08bebb29f75aba98daf68a67b7c38c37bdb69dc

M       biometric/res/values/devices.xml
M       biometric/src/main/java/androidx/biometric/FingerprintDialogFragment.java
M       biometric/src/main/java/androidx/biometric/FingerprintHelperFragment.java
M       biometric/src/main/java/androidx/biometric/Utils.java

https://android-review.googlesource.com/1137656
https://goto.google.com/android-sha1/e0ddc6a9ef6fcb8a8a97817220ebaa5297fafb31

Project: platform/frameworks/support
Branch: androidx-master-dev

commit 93823c71dc8fcc577814c74f5e40793e6eb2a0c1
Author: Curtis Belmonte <curtislb@google.com>
Date:   Mon Oct 07 14:29:40 2019

    Add device list to force crypto auth via fingerprint
   
    Introduces a list of device models for which
    BiometricPrompt#authenticate will launch FingerprintDialogFragment
    instead of BiometricFragment when called with a crypto object. This
    is intended to work around an issue on some devices where crypto-based
    authentication can be launched with weak biometrics.
   
    Test: Manually using crypto-bound key demo in support demo app
    Bug: 142150327
    Change-Id: I1ff043ed0e7f7a72e3dab79fe54142480baac3a3

A       biometric/res/values/devices.xml
M       biometric/src/main/java/androidx/biometric/BiometricPrompt.java
M       biometric/src/main/java/androidx/biometric/Utils.java

https://android-review.googlesource.com/1137655
https://goto.google.com/android-sha1/93823c71dc8fcc577814c74f5e40793e6eb2a0c1

Project: platform/frameworks/support
Branch: androidx-master-dev

commit 48887dbde866b1473fdb924e9b0509bd0114f7e4
Author: Curtis Belmonte <curtislb@google.com>
Date:   Wed Oct 16 14:42:06 2019

    Add Samsung devices to biometric workaround lists
   
    Adds prefixes for Samsung devices that are known to present weak
    biometrics when calling BiometricPrompt#authenticate(PromptInfo,
    CryptoObject) on API 28 and 29. This allows developers calling into the
    BiometricPrompt API through the AndroidX library to work around the
    issue on these devices and their variants.
   
    Test: Manually tested with Samsung devices in biometric demo app.
    Bug: 142150327
    Change-Id: Ia11672db30806ae41f37461ccbcbce758121573e

M       biometric/res/values/devices.xml

https://android-review.googlesource.com/1145111
https://goto.google.com/android-sha1/48887dbde866b1473fdb924e9b0509bd0114f7e4

Project: platform/frameworks/support
Branch: androidx-master-dev

commit 10435ab81f5e20d69a4780eb7f1f713ac9762961
Author: Curtis Belmonte <curtislb@google.com>
Date:   Wed Oct 16 14:33:20 2019

    Update biometric workaround to use model prefixes
   
    Makes the existing device-specific workaround to fall back to
    FingerprintDialogFragment more general by updating it to expect device
    model prefixes, rather than exact string device models to match against.
    This allows us to cover device variants with different model suffixes.
   
    Test: Manually, using the biometric support demo app.
    Bug: 142150327
    Change-Id: I3a109b8bdcf8a4bf59597cb99bf6b702734166cb

M       biometric/res/values/devices.xml
M       biometric/src/main/java/androidx/biometric/Utils.java

https://android-review.googlesource.com/1145110
https://goto.google.com/android-sha1/10435ab81f5e20d69a4780eb7f1f713ac9762961

  The following changes were cherrypicked through Coastguard (https://android-build.googleplex.com/coastguard/)
  Release Track: (https://android-build.googleplex.com/coastguard/dashboard/5176090922385408/#/cherrypickHistory/all)
  Created: 2019-10-17 01:13:42.291290+00:00
  Changes: aosp/1145123, aosp/1145121, aosp/1145122, aosp/1145119
 

Fix is merged and will be in the 1.0.0-rc02 release.

Hi. Appreciate the good job being done to cater for rebellious OEMs like Samsung. Please any idea when the rc02 release scheduled for? I kinda have my PM on my neck and a precise date or date range even will go a long way in keeping her calm rn.

RC02 is scheduled for 10/23

Thank you very much.

I looked at the list (biometric/res/values/devices.xml) and I'm a little concerned that there are other Samsung devices with face recognition that is not covered.

In the list the following devices are blacklisted:
- Samsung Galaxy S8/S8+
- Samsung Galaxy S9/S9+
- Samsung Galaxy S10/S10+
- Samsung Galaxy Note 8
- Samsung Galaxy Note 9
- Samsung Galaxy Note 10/10+
- Samsung Galaxy A20/A20e

But, by doing some quick research, I found that some other models also includes face recognition:
- Samsung Galaxy S10e
- Samsung Galaxy A8/A8+
- Samsung Galaxy A9
- Samsung Galaxy A10
- Samsung Galaxy A40
- Samsung Galaxy A50
- Samsung Galaxy A70

Probably many others includes face recognition as well. I can't rely on this blacklisting if you have to add every device to that list.

"From Android 10, Preferred biometric will be removed. BiometricPrompt will always show Fingerprint authentication by default."

This is ridiculous. I use Iris all the time on my S8 and it's much preferred over Fingerprint or Face. Why is Google always trying to fix what ain't broke. There is irony in the fact that they even removed Fingerprint sensor from Pixel 4, yet that is the default now?

...and they wonder why Android gets a bad rap compared to IOS. Infuriating and backwards policies they force upon users/developers.

"From Android 10, Preferred biometric will be removed. BiometricPrompt will always show Fingerprint authentication by default."

That is a Samsung policy, please complain to them.

I think #18 is right in that Google messed up here.

1. Fingerprint API could handle Face ID (especially because it is one or the other), instead now you cannot login on Pixel 4 when an app is still on Fingerprint APIs

2. They wrote a new API instead for Face (again, there was no reason for it) AND intentionally blocked Samsung face tech out of it by categorizing them as "unsupported weak biometrics"

Samsung now says they will offer Iris on Android 10 but first you always get a fingerprint dialog and then you get a button or something within that dialog to go to Iris. Pretty UX, don't expect seamless logins. Even if your phone unlock is on Iris, you still get fingerprint every time.

Since Android devices might have multi biometric sensors, it would be better to have something to support such biometrics.

Today we released an update to our app which includes androidx.biometricprompt:1.0.0, and exactly what I commented on October 29th has happened:
A user with Samsung A70 (which is not blacklisted by Google) gets the UserNotAuthenticatedException because he has face recognition set as preferred biometrics, and tries to log into our app. You can't blacklist every Samsung device! You have to fix this another way!

We are facing similar issue on our app. We released a version with biometricprompt:1.0.0, but looks like users on devices like Samsung A8 are still having issues. Google needs to put a proper fix for this issue instead of maintaining a weak device list.

We are facing similar issue in our app. Samsung devices where i have not setup any fingerprint but can unlock with face or iris, is failing at key store usage with exception. Need an update at AndroidX library fix and google should release security patch to address biometric library usage.

I'm experiencing ERROR_NO_BIOMETRICS error, when using authenticate(CryptoObject) with face recognition set as preferred on Samsung A50 Android 9 with latest updates. Shouldn't samsung use fingerprint as a fallback method?

Setting preferred method to fingerprint works great.

Samsung A50 is not on the device list maintained by the Biometric Prompt API and hence it does not fallback to fingerprint. Google needs to fix this another way as mentioned in #22.

how is everyone handling this scenario on Samsung devices not on the list and hence not falling back to fingerprint ?

If a Samsung user has face scan/iris enrolled and not fingerprint, is there a way to detect this? Using BiometricManager.canAuthenticate will return BIOMETRIC_SUCCESS, but that is kind of misleading as they will not be able to use the prompt. I would like the ability to not show biometrics as an option to the user, but seem kind of stuck. Am I not handling this correctly or does anyone else have the same issue?