MASTG-BEST-0038: Require Explicit User Confirmation for Biometric Authentication

For sensitive operations requiring explicit user authorization (e.g., payments or access to health data), configure setConfirmationRequired(true) in BiometricPrompt.Builder, or rely on the default behavior, which requires confirmation.

When setConfirmationRequired(false) is used, passive biometrics such as face recognition can authenticate the user implicitly as soon as the device detects their biometric data. This means authentication can complete without the user actively acknowledging the operation, which may not be appropriate for high-value actions.

The Android documentation notes that explicit confirmation provides assurance that the user intentionally initiated the sensitive operation, particularly when passive biometric modalities are used.

Tests

MASTG-TEST-0329: References to APIs Enforcing Authentication without Explicit User Action