Skip to content

MASTG-BEST-0036: Use Cryptographic Binding for Biometric Authentication

For sensitive operations protected by biometric authentication, use BiometricPrompt.authenticate() with a CryptoObject backed by an Android Keystore key configured with setUserAuthenticationRequired(true). This cryptographically binds the authentication result to the key operation, ensuring that the sensitive operation can only proceed after successful biometric verification.

Without a CryptoObject, authentication is event-bound and relies solely on the onAuthenticationSucceeded callback. This makes it susceptible to runtime logic manipulation, for example by hooking the callback to return success without actually passing biometric verification.

Keystore Key Configuration

When generating the key with KeyGenParameterSpec.Builder, configure:

  • setUserAuthenticationRequired(true): requires the user to authenticate before the key can be used.
  • setUserAuthenticationParameters(0, type): a timeout of 0 requires authentication for every individual cryptographic operation. Avoid extended validity durations for sensitive operations, as the key remains usable for the entire validity window even if the device is later accessed by an unauthorized person.

Note

setUserAuthenticationValidityDurationSeconds(int) is deprecated from API level 30 in favor of setUserAuthenticationParameters(int, int).

Tests

MASTG-TEST-0330: References to APIs for Keys used in Biometric Authentication with Extended Validity Duration MASTG-TEST-0327: References to APIs for Event-Bound Biometric Authentication