Why crypto object is needed for Android fingerprint authentication?

Question

I have gone through the android finger print sample provided by Google.

https://github.com/googlesamples/android-FingerprintDialog

As I am new to security standa

Answer 1

Why we need to use Keystore, key, CryptoObject... etc? Simply It could >be like, ask finger print manager to authenticate the user and it can >simply return the status(success/failed)

I thought the same thing when I first read about fingerprint for android. Through my research, I think I can summarize the CryptoObject for you in plain english, which is what you are looking for because technical descriptions does not help with understanding concepts:

The CryptoObject is created by a key in your android keystore, which is inherently considered "secure"[1]. So passing in a CryptoObject to the fingerprint manager lets the manager have an anchor that confirms the the finger print auth results were not tampered with, which is theoretically possible [2].

Think of it this way, if you pass in null, the fingerprint manager blindly trusts the results from a finger print match result. if you pass in a crypto object, which is created by a key that only your application can access because of keystore, then the results coming back will probably have this cryptoObject which only your app can successfully identify. Here is another quote that makes more common sense.

"The CryptoObject makes the process more secure because if that object is not backed by the KeyStore, it’s always going to fail." [3]

The picture in [4] link also gives you an idea.

[1] https://developer.android.com/training/articles/keystore

[2] https://docs.microsoft.com/en-us/xamarin/android/platform/fingerprint-authentication/creating-a-cryptoobject

[3]https://medium.com/@manuelvicnt/android-fingerprint-authentication-f8c7c76c50f8

[4]https://infinum.co/the-capsized-eight/android-fingerprint-security