I am trying to create a authentication mechanism in my (cordova) app for android that will allow my users to sign in using a password and username, or allow them to scan their finger in order to sign in.
How can one verify a fingerprint registered on a client, server side? is this even possible at all using Cordova ? I tried transmitting the result of a finger scan to my server: this looked like:
FingerprintAuth.isAvailable(function(result) {
if (result.isAvailable) {
if(result.hasEnrolledFingerprints){
FingerprintAuth.show({
clientId: client_id,
clientSecret: client_secret
}, function (result) {
alert(JSON.stringify(result));
$http.post('http://192.168.149.33:3000/authorize', result).then(
function(response) {}
);
if (result.withFingerprint) {
$scope.$parent.loggedIn = true;
alert("Successfully authenticated using a fingerprint");
$location.path( "/home" );
} else if (result.withPassword) {
alert("Authenticated with backup password");
}
}, function(error) {
console.log(error); // "Fingerprint authentication not available"
});
} else {
alert("Fingerprint auth available, but no fingerprint registered on the device");
}
}
}, function(message) {
alert("Cannot detect fingerprint device : "+ message);
});
Server side i am receiving the following data (3 seperate scans):
{ withFingerprint: 't8haYq36fmBPUEPbVjiWOaBLjMPBeUNP/BTOkoVtZ2ZiX20eBVzZAs3dn6PW/R4E\n' }
{ withFingerprint: 'rA9H+MIoQR3au9pqgLAi/EOCRA9b0Wx1AvzC/taGIUc8cCeDfzfiDZkxNy5U4joB\n' }
{ withFingerprint: 'MMyJm46O8MTxsa9aofKUS9fZW3OZVG7ojD+XspO71LWVy4TZh2FtvPtfjJFnj7Sy\n' }
The patterns seems to vary every time, is there a way one can link the finger print to for example a pattern saved under a user on a database ?
I am trying to create a authentication mechanism in my (cordova) app for android that will allow my users to sign in using a password and username, or allow them to scan their finger in order to sign in.
How can one verify a fingerprint registered on a client, server side? is this even possible at all using Cordova ? I tried transmitting the result of a finger scan to my server: this looked like:
FingerprintAuth.isAvailable(function(result) {
if (result.isAvailable) {
if(result.hasEnrolledFingerprints){
FingerprintAuth.show({
clientId: client_id,
clientSecret: client_secret
}, function (result) {
alert(JSON.stringify(result));
$http.post('http://192.168.149.33:3000/authorize', result).then(
function(response) {}
);
if (result.withFingerprint) {
$scope.$parent.loggedIn = true;
alert("Successfully authenticated using a fingerprint");
$location.path( "/home" );
} else if (result.withPassword) {
alert("Authenticated with backup password");
}
}, function(error) {
console.log(error); // "Fingerprint authentication not available"
});
} else {
alert("Fingerprint auth available, but no fingerprint registered on the device");
}
}
}, function(message) {
alert("Cannot detect fingerprint device : "+ message);
});
Server side i am receiving the following data (3 seperate scans):
{ withFingerprint: 't8haYq36fmBPUEPbVjiWOaBLjMPBeUNP/BTOkoVtZ2ZiX20eBVzZAs3dn6PW/R4E\n' }
{ withFingerprint: 'rA9H+MIoQR3au9pqgLAi/EOCRA9b0Wx1AvzC/taGIUc8cCeDfzfiDZkxNy5U4joB\n' }
{ withFingerprint: 'MMyJm46O8MTxsa9aofKUS9fZW3OZVG7ojD+XspO71LWVy4TZh2FtvPtfjJFnj7Sy\n' }
The patterns seems to vary every time, is there a way one can link the finger print to for example a pattern saved under a user on a database ?
Share Improve this question edited Nov 8, 2017 at 19:00 Sonicd300 2,0491 gold badge18 silver badges23 bronze badges asked Sep 27, 2016 at 11:07 Mark StroevenMark Stroeven 6962 gold badges6 silver badges26 bronze badges 4- I believe plugins should be the way to go for such implementations. Please check out this plugin - github.com/mjwheatley/cordova-plugin-android-fingerprint-auth – Gandhi Commented Oct 1, 2016 at 6:14
- Hi mark I have a doubt?. How to get the clientid and client_secret? – HariKrishnan.P Commented Feb 9, 2017 at 20:56
- @HariKrishnan.P I think you will have to dive in to native code for that. Or you could search for a cordova plugin wich interfaces that that native functionality. – Mark Stroeven Commented Feb 22, 2017 at 0:41
- @Gandhi- I have already used above plugin but in which format we have to store fingerprint in db like.string or any image? – Kapil Soni Commented Dec 18, 2019 at 16:17
3 Answers
Reset to default 14 +100Short answer
The strings returned by this API are not "fingerprint patterns". So you won't be able to authenticate the way you're thinking...
Long answer
Let's start by looking at the source code of the API it looks like you're using.
Looking at this file we see these methods:
public static void onAuthenticated(boolean withFingerprint) {
JSONObject resultJson = new JSONObject();
String errorMessage = "";
boolean createdResultJson = false;
try {
if (withFingerprint) {
// If the user has authenticated with fingerprint, verify that using cryptography and
// then return the encrypted token
byte[] encrypted = tryEncrypt();
resultJson.put("withFingerprint", Base64.encodeToString(encrypted, 0 /* flags */));
} else {
// Authentication happened with backup password.
resultJson.put("withPassword", true);
// if failed to init cipher because of InvalidKeyException, create new key
if (!initCipher()) {
createKey();
}
}
createdResultJson = true;
// ...
/**
* Tries to encrypt some data with the generated key in {@link #createKey} which is
* only works if the user has just authenticated via fingerprint.
*/
private static byte[] tryEncrypt() throws BadPaddingException, IllegalBlockSizeException {
return mCipher.doFinal(mClientSecret.getBytes());
}
Look at what's being put to "withFingerprint". It's a Base64 encoding of the encrypted client secret. Technically, this is your authentication. You would use this token to authenticate requests and your server would decrypt and validate the client secret.
Summary
Fingerprinting adds a level of security, but it is not the only means of security. A relationship needs to be established with the device and server beforehand.
I found this diagram to be helpful in understanding the intent of android's fingerprint authentication (ref: http://android-developers.blogspot.com/2015/10/new-in-android-samples-authenticating.html)
You can't authenticate fingerprint on the server, fingerprints are stored or authenticated using Live Scan/Biometric template. Authentication is done by comparing the current scan template with previously stored templates
First of all you don't have access to these stored templates(Not provided by the OS providers/Phone Manufacturers) and If we assume that you have access to those templates, then an efficient algorithm (Image based /Pattern based ) is required to compare the current template with previously stored templates. You can't simply authenticate it by string comparison.
Use cordova-plugin-fingerprint-aio for fingerprint authentication .
For further info you can consult https://www.npmjs.com/package/cordova-plugin-fingerprint-aio .