BiometricPrompt should fall back to inserting pin/password/pattern when no biometric hardware is present. [149579143]

Fixed

Feature Request

[AOSP] assigned

Status Update

No update yet.

Description

al...@gmail.com

created issue #1

Feb 15, 2020 02:24PM

Currenly BiometricPrompt::authenticate() just exists (with error callback) when no biometric hardware support is detected.
That is an issue because apps will start using it as their default authentication method. This includes the AOSP Settings app, which uses BiometricPrompt to authenticate the user when generating a WiFi QR-Code to share (Wi-Fi DPP). When trying to do so on a locked device with no biometric hardware, simply nothing happens.

I propose that BiometricPrompt should fall back to asking for pin/password/pattern.
Alternatively, a new API could be introduced for prompting the user to authenticate, which would call BiometricPrompt if hardware is present, else direclty show a PIN/password/pattern insertion activity.

Comments

vk...@google.com <vk...@google.com> Feb 17, 2020 03:07AM

Assigned to vk...@google.com.

al...@gmail.com <al...@gmail.com> #2Feb 17, 2020 08:52AM

Hi Ed, Thank you so much for these suggestions. I've been reviewing them and merging them in. Hopefully it should be live. I've included a thank you note too in the article.

vk...@google.com <vk...@google.com> #3Feb 17, 2020 11:49AM

Great! Thanks a lot, I'll look for the live updates soon!

vk...@google.com <vk...@google.com> Feb 17, 2020 01:02PM

Reassigned to an...@google.com.

sh...@gmail.com <sh...@gmail.com> #4Feb 20, 2020 09:10AM

Before supporting this from new biometricprompt jetpack or AOSP, are we need to use deprecated createConfirmDeviceCredentialIntent API to support devices with no biometric sensor?

al...@gmail.com <al...@gmail.com> #5Feb 24, 2020 08:43PM

Actually, I found AOSP already has all the pieces in place to support authentication via BiometricPrompt even with no hardware, by falling back to CDC. It just needs BiometricService to be started, which is currently prevented if no hardware is present.
I pushed a patch to AOSP gerrit for review:

https://android-review.googlesource.com/c/platform/frameworks/base/+/1243108

cu...@google.com <cu...@google.com> Aug 17, 2020 06:53PM

Reassigned to cu...@google.com.

cu...@google.com <cu...@google.com> Sep 21, 2020 11:17PM

Accepted by cu...@google.com.

ap...@google.com <ap...@google.com> #6Sep 22, 2020 06:14PM

Marked as fixed.

Project: platform/frameworks/support
Branch: androidx-master-dev

commit cdfdb2f65f62c72e2da0d86819c2af462a097723
Author: Curtis Belmonte <curtislb@google.com>
Date: Mon Sep 21 15:12:54 2020

Fall back to credential on biometric lockout for API <29

On Android 10 (API level 29) and above, the framework BiometricPrompt
will fall back to device credential authentication (if allowed) when
biometric authentication is (temporarily or permanently) locked out.
This commit adds this fallback behavior to the AndroidX BiometricPrompt
on devices with API level 28 and below.

Test: ./gradlew biometric:biometric:test
Test: ./gradlew biometric:biometric:connectedAndroidTest
Test: ./gradlew biometric:integration-tests:testapp:connectedAndroidTest
Test: Biometric integration test app on API 27-30:
1. Select options for BIOMETRIC_WEAK and DEVICE_CREDENTIAL
2. Press "authenticate" to show the prompt
3. Present an incorrect biometric 5 times in quick succession
4. Ensure the confirm device credential UI is shown and works correctly

Fixes: 149579143
Change-Id: Id4c810bb6578686776594d77068e2be17372cd16

M biometric/biometric/src/main/java/androidx/biometric/BiometricFragment.java
M biometric/biometric/src/main/java/androidx/biometric/ErrorUtils.java
M biometric/biometric/src/test/java/androidx/biometric/ErrorUtilsTest.java

https://android-review.googlesource.com/1433463