MASTG-BEST-0031: Enforce Strong Biometrics for Sensitive Operations

Apps should use the BIOMETRIC_STRONG authenticator for sensitive operations protected by biometrics. Using DEVICE_CREDENTIAL (PINs, patterns or passwords) are more susceptible to shoulder surfing and social engineering.

For high-security operations (e.g. payments or access to health data), enforcing biometrics only provides strong protection and verifies user presence.

Tests

MASTG-TEST-0326: References to APIs Allowing Fallback to Non-Biometric Authentication