发表新帖
发表新帖

Cordova fingerprint authentication on server

前端 未结
关注
3 1449
星月不相逢
星月不相逢 2021-02-05 06:43

I am trying to create a authentication mechanism in my (cordova) app for android that will allow my users to sign in using a password and username, or allow them to scan their f

3条回答
  • 星月不相逢
    星月不相逢 (楼主)
    2021-02-05 07:13

    Short answer

    The strings returned by this API are not "fingerprint patterns". So you won't be able to authenticate the way you're thinking...

    Long answer

    Let's start by looking at the source code of the API it looks like you're using.

    Looking at this file we see these methods:

    public static void onAuthenticated(boolean withFingerprint) {
    JSONObject resultJson = new JSONObject();
    String errorMessage = "";
    boolean createdResultJson = false;
    try {

        if (withFingerprint) {
            // If the user has authenticated with fingerprint, verify that using cryptography and
            // then return the encrypted token
            byte[] encrypted = tryEncrypt();
            resultJson.put("withFingerprint", Base64.encodeToString(encrypted, 0 /* flags */));
        } else {
            // Authentication happened with backup password.
            resultJson.put("withPassword", true);

            // if failed to init cipher because of InvalidKeyException, create new key
            if (!initCipher()) {
                createKey();
            }
        }
        createdResultJson = true;

// ...

/**
 * Tries to encrypt some data with the generated key in {@link #createKey} which is
 * only works if the user has just authenticated via fingerprint.
 */
private static byte[] tryEncrypt() throws BadPaddingException, IllegalBlockSizeException {
    return mCipher.doFinal(mClientSecret.getBytes());
}

    Look at what's being put to "withFingerprint". It's a Base64 encoding of the encrypted client secret. Technically, this is your authentication. You would use this token to authenticate requests and your server would decrypt and validate the client secret.

    Summary

    Fingerprinting adds a level of security, but it is not the only means of security. A relationship needs to be established with the device and server beforehand.

    I found this diagram to be helpful in understanding the intent of android's fingerprint authentication (ref: http://android-developers.blogspot.com/2015/10/new-in-android-samples-authenticating.html)

    0 讨论(0)
 看不清?
提交回复
热议问题