Android Fingerprint Biometric Authentication

NOVASOLUTIONS.TECHNOLOGY is engaged in the development, support and maintenance of iOS, Android, PWA mobile applications. We have extensive experience and expertise in publishing mobile applications in popular markets like Google Play, App Store, Amazon, AppGallery and others.
8+Years of work900+Completed projects100+In house employees19+Partners
Development and support of all types of mobile applications:
Information and entertainment mobile applications
News apps, games, reference guides, online catalogs, weather apps, fitness and health apps, travel apps, educational apps, social networks and messengers, quizzes, blogs and podcasts, forums, aggregators
E-commerce mobile applications
Online stores, B2B apps, marketplaces, online exchanges, cashback services, exchanges, dropshipping platforms, loyalty programs, food and goods delivery, payment systems.
Business process management mobile applications
CRM systems, ERP systems, project management, sales team tools, financial management, production management, logistics and delivery management, HR management, data monitoring systems
Electronic services mobile applications
Classified ads platforms, online schools, online cinemas, electronic service platforms, cashback platforms, video hosting, thematic portals, online booking and scheduling platforms, online trading platforms

These are just some of the types of mobile applications we work with, and each of them may have its own specific features and functionality, tailored to the specific needs and goals of the client.

Offered services
Showing 1 of 1 servicesAll 1735 services
Android Fingerprint Biometric Authentication
Simple
~1 business day
FAQ
Our competencies:
Development stages
Latest works
  • image_mobile-applications_feedme_467_0.webp
    Development of a mobile application for FEEDME
    756
  • image_mobile-applications_xoomer_471_0.webp
    Development of a mobile application for XOOMER
    624
  • image_mobile-applications_rhl_428_0.webp
    Development of a mobile application for RHL
    1052
  • image_mobile-applications_zippy_411_0.webp
    Development of a mobile application for ZIPPY
    947
  • image_mobile-applications_affhome_429_0.webp
    Development of a mobile application for Affhome
    862
  • image_mobile-applications_flavors_409_0.webp
    Development of a mobile application for the FLAVORS company
    445
Show more works

Developing Fingerprint Biometric Authorization in Android App

On Android biometrics went through long path: FingerprintManager (deprecated API 28), BiometricPrompt (appeared in API 28, worked properly in 29–30), and finally stable androidx.biometric:biometric library version 1.2+. If app still uses FingerprintManager — it's technical debt that will explode on API 34 target.

What breaks most often

BiometricPrompt requires passing FragmentActivity or Fragment. Developers sometimes try calling it from ViewModel or Repository — get IllegalStateException at runtime. Prompt lives in UI layer, period.

Second stone — CryptoObject. Many implementations call BiometricPrompt.authenticate() without CryptoObject, meaning they check only biometric presence, but don't tie it to cryptographic operation. This is "weak" biometrics: attacker with root access can theoretically fake authentication result by injecting SUCCESS into AuthenticationCallback. Correct path — Class 3 (Strong) biometrics with CryptoObject.

Third — Android fragmentation. On MIUI 12–13 BiometricManager.canAuthenticate(BIOMETRIC_STRONG) returns BIOMETRIC_ERROR_NONE_ENROLLED even with registered fingerprints due to Xiaomi customization. Have to add fallback check via FingerprintManagerCompat for such cases.

Correct implementation with CryptoObject

Essence: generate key in Android Keystore tied to biometrics. On authentication Cipher initialized with this key and passed to CryptoObject. If biometrics passed successfully — cipher unlocked and can encrypt/decrypt data.

val keyGenerator = KeyGenerator.getInstance(KeyProperties.KEY_ALGORITHM_AES, "AndroidKeyStore")
keyGenerator.init(
    KeyGenParameterSpec.Builder(KEY_NAME, KeyProperties.PURPOSE_ENCRYPT or KeyProperties.PURPOSE_DECRYPT)
        .setBlockModes(KeyProperties.BLOCK_MODE_CBC)
        .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_PKCS7)
        .setUserAuthenticationRequired(true)
        .setInvalidatedByBiometricEnrollment(true)
        .build()
)
keyGenerator.generateKey()

setInvalidatedByBiometricEnrollment(true) — key invalidated on adding new fingerprint. Without this flag old key remains working after user changes biometrics.

After key generation:

val cipher = Cipher.getInstance("${KeyProperties.KEY_ALGORITHM_AES}/${KeyProperties.BLOCK_MODE_CBC}/${KeyProperties.ENCRYPTION_PADDING_PKCS7}")
val keyStore = KeyStore.getInstance("AndroidKeyStore").apply { load(null) }
val secretKey = keyStore.getKey(KEY_NAME, null) as SecretKey
cipher.init(Cipher.ENCRYPT_MODE, secretKey)

val cryptoObject = BiometricPrompt.CryptoObject(cipher)

Then pass cryptoObject to biometricPrompt.authenticate(promptInfo, cryptoObject).

Callback must be handled completely

object : BiometricPrompt.AuthenticationCallback() {
    override fun onAuthenticationSucceeded(result: BiometricPrompt.AuthenticationResult) {
        val cipher = result.cryptoObject?.cipher ?: return
        // decrypt token from EncryptedSharedPreferences
    }
    override fun onAuthenticationError(errorCode: Int, errString: CharSequence) {
        when (errorCode) {
            BiometricPrompt.ERROR_LOCKOUT -> showFallback()
            BiometricPrompt.ERROR_LOCKOUT_PERMANENT -> showPermanentLockout()
            BiometricPrompt.ERROR_NEGATIVE_BUTTON -> showPinAuth()
            BiometricPrompt.ERROR_USER_CANCELED -> { /* do nothing */ }
        }
    }
    override fun onAuthenticationFailed() {
        // attempt failed, but limit not exhausted — BiometricPrompt itself shows error
    }
}

onAuthenticationFailed — not final error. System itself updates prompt UI. Don't hide prompt and don't show your own errors in this callback.

Token storage

Use EncryptedSharedPreferences from androidx.security:security-crypto. Encrypt token via cipher from successful CryptoObject, save ciphertext + salt + IV to EncryptedSharedPreferences. Next time authorizing: deploy biometrics in DECRYPT_MODE with saved IV → get plaintext token.

Stages and timeframe

Check minimum API level (our target — API 23+, BiometricPrompt works from API 28 via androidx.biometric) → KeyStore key and CryptoObject-flow implementation → custom prompt UI with texts → handle all error codes → test on real devices (Samsung Galaxy, Xiaomi, Pixel) → unit test coverage via mock BiometricPrompt.

Timeframe — 3–6 business days. On Xiaomi and devices with custom firmware add time for separate compatibility check.