发表新帖
发表新帖

Cordova fingerprint authentication on server

前端 未结
关注
3 1447
星月不相逢
星月不相逢 2021-02-05 06:43

I am trying to create a authentication mechanism in my (cordova) app for android that will allow my users to sign in using a password and username, or allow them to scan their f

相关标签:
3条回答
  • 没有蜡笔的小新
    2021-02-05 06:57

    You can't authenticate fingerprint on the server, fingerprints are stored or authenticated using Live Scan/Biometric template. Authentication is done by comparing the current scan template with previously stored templates

    First of all you don't have access to these stored templates(Not provided by the OS providers/Phone Manufacturers) and If we assume that you have access to those templates, then an efficient algorithm (Image based /Pattern based ) is required to compare the current template with previously stored templates. You can't simply authenticate it by string comparison.

    0 讨论(0)
  • 旧巷少年郎
    2021-02-05 06:59

    Use cordova-plugin-fingerprint-aio for fingerprint authentication .

    For further info you can consult https://www.npmjs.com/package/cordova-plugin-fingerprint-aio .

    0 讨论(0)
  • 星月不相逢
    2021-02-05 07:13

    Short answer

    The strings returned by this API are not "fingerprint patterns". So you won't be able to authenticate the way you're thinking...

    Long answer

    Let's start by looking at the source code of the API it looks like you're using.

    Looking at this file we see these methods:

    public static void onAuthenticated(boolean withFingerprint) {
    JSONObject resultJson = new JSONObject();
    String errorMessage = "";
    boolean createdResultJson = false;
    try {

        if (withFingerprint) {
            // If the user has authenticated with fingerprint, verify that using cryptography and
            // then return the encrypted token
            byte[] encrypted = tryEncrypt();
            resultJson.put("withFingerprint", Base64.encodeToString(encrypted, 0 /* flags */));
        } else {
            // Authentication happened with backup password.
            resultJson.put("withPassword", true);

            // if failed to init cipher because of InvalidKeyException, create new key
            if (!initCipher()) {
                createKey();
            }
        }
        createdResultJson = true;

// ...

/**
 * Tries to encrypt some data with the generated key in {@link #createKey} which is
 * only works if the user has just authenticated via fingerprint.
 */
private static byte[] tryEncrypt() throws BadPaddingException, IllegalBlockSizeException {
    return mCipher.doFinal(mClientSecret.getBytes());
}

    Look at what's being put to "withFingerprint". It's a Base64 encoding of the encrypted client secret. Technically, this is your authentication. You would use this token to authenticate requests and your server would decrypt and validate the client secret.

    Summary

    Fingerprinting adds a level of security, but it is not the only means of security. A relationship needs to be established with the device and server beforehand.

    I found this diagram to be helpful in understanding the intent of android's fingerprint authentication (ref: http://android-developers.blogspot.com/2015/10/new-in-android-samples-authenticating.html)

    0 讨论(0)
 看不清?
提交回复
热议问题