Authenticators backport is broken on an API 29 Pixel 4 [170406186]

Fixed

Bug

Status Update

No update yet.

Description

ph...@monzo.com

created issue #1

Oct 9, 2020 09:43AM

On an API 29 Pixel 4 androidx.biometric.BiometricManager#canAuthenticate(Authenticators.BIOMETRIC_STRONG) returns BIOMETRIC_STATUS_UNKNOWN. I believe this is because the canAuthenticate(CryptoObject) method only works on Samsung devices - as far as I can tell it has never existed in AOSP.

Some possible solutions (there may well be reasons not to do these things):

Adding non-Samsung devices with strong face unlock to the assume_strong_biometrics_prefixes array, which is currently empty. Devices with fingerprint should be OK because they fall back to canAuthenticateWithFingerprintOrUnknown(), but I haven't actually tested this.
Attempt to create an auth-per-use key pair (setUserAuthenticationValidityDurationSeconds(-1)) in AndroidKeyStore, which fails with the following exception if the user doesn't have strong biometrics available & enrolled (I don't know if this is reliable across OEMs and API versions):

java.security.InvalidAlgorithmParameterException: java.lang.IllegalStateException: At least one biometric must be enrolled to create keys requiring user authentication for every use
        at android.security.keystore.AndroidKeyStoreKeyPairGeneratorSpi.initialize(AndroidKeyStoreKeyPairGeneratorSpi.java:349)
        at java.security.KeyPairGenerator$Delegate.initialize(KeyPairGenerator.java:697)
        at java.security.KeyPairGenerator.initialize(KeyPairGenerator.java:438)
        ...

BUILD INFO

Device type: Pixel 4
OS version: 10 (API 29)
Biometric library version: 1.1.0-beta01

STEPS TO REPRODUCE

Have API 29 Pixel 4 with face unlock turned on.
Call androidx.biometric.BiometricManager#canAuthenticate(Authenticators.BIOMETRIC_STRONG)

EXPECTED RESULTS

Receive BIOMETRIC_SUCCESS.

OBSERVED RESULTS

Receive BIOMETRIC_STATUS_UNKNOWN.

NUMBER OF TIMES YOU WERE ABLE TO REPRODUCE (e.g. 3/10)

10/10

Comments

ph...@monzo.com <ph...@monzo.com> #2Oct 9, 2020 04:01PM

This happens to me when using pattern+fingerprint on api 29 using 1.0.1

cu...@google.com <cu...@google.com> Oct 19, 2020 05:15PM

Reassigned to cu...@google.com.

cu...@google.com <cu...@google.com> Oct 21, 2020 12:25AM

Accepted by cu...@google.com.

ap...@google.com <ap...@google.com> #3Oct 21, 2020 08:33PM

Marked as fixed.

happens to me on Android P using 1.0.1

ph...@monzo.com <ph...@monzo.com> #4Oct 23, 2020 08:17AM

Is there any workaround for this? Can we expect this to be fixed?

[Deleted User] <[Deleted User]> #5Dec 20, 2020 02:23PM

I am facing the same problem too! Is there any solution to this problem?

re...@infinum.com <re...@infinum.com> #6Jan 7, 2021 10:16AM

Still seeing this issue on Android 10 Pixel 4.

re...@infinum.com <re...@infinum.com> #7Jan 7, 2021 10:18AM

Our team is facing this issue as well. What are the alternatives available right now apart from cloning the library and changing the behavior?