Allow possibility to disable face unlock on Android

[eblis]

It would be nice if you could select which authentication methods are allowed, at least on Android systems.
Some Android vendors allow both fingerprint and face unlock, but certain sensible applications, like Bitwarden shouldn't allow login via face, just by fingerprint.

An option in the code to select if you want strong authentication (fingerprint) or weak authentication (face) would be very nice.

This is a very requested feature in Bitwarden and as far as i can tell Bitwarden uses this plug-in for cross platform authentication.

[smsissuechecker]

Hi @eblis,

I'm the friendly issue checker.
It seems like (100.00 %) you haven't used our issue template 😢 I think it is very frustrating for the repository owners, if you ignore them.

If you think it's fine to make an exception, just ignore this message.
But if you think it was a mistake to delete the template, please close the issue and create a new one.

Thanks!

[DarkIrata]

Hi!,
As far as i found it is not possible to set the Biometric Prompt type for the new API.
Here is a google issue tracker, tracking that request
https://issuetracker.google.com/issues/111315641

The only workaround would be implementaing the old FingerprintManager. While deprecated, it still is functional enough fir this purpose. Better explanation is here
https://stackoverflow.com/a/52927192

[eblis]

Does allowing just BIOMETRIC_STRONG allow both face and fingerprint unlock ? I assumed that only fingerprint would be STRONG, whereas face unlock would be WEAK, but I haven't tested this yet (not sure how).

[DarkIrata]

https://developer.android.com/reference/android/hardware/biometrics/BiometricManager.Authenticators#summary
Looks like it depends on the device

[eblis]

I would say that most devices implement this correctly and would be a nice addition.
Also, even if they do not implement this correctly it wouldn't do any harm, so it would still be a nice addition, no ?

[DarkIrata]

I wouldn't say that. Even Samsung likes to have non-standard implementations (but I am not aware of anything in the area of biometric authentication so far). Huawei, for example, does not display any text on the prompts, even if I write the biometric authentication from zero.

I'm not against the feature either, I find the implementation okay for the most part, BUT without testing I find that more critical to take in productively when it's opt-out. Does it trows an error which needs to be handled specialy? Do the enduser just needs to reregister his fingerprint? It should also be tested against different API levels, so that there are no problems already when setting the flags.

When it comes to security, it should be tested, especially if it could change the behavior.

[eblis]

On the Samsung device I've seen the current implementation offers fingerprint unlock by default, and only if you want it switches to face unlock.
But on my personal phone, a Realme, only face unlock is available with the current implementation.