Error after Fingerprint touched on Samsung phones: android.security.KeyStoreException: Key user not authenticated

Question

My app uses Android 6.0 Fingerprint API to protect AES key in the Android KeyStore. The stored key can be used only when user is authenticated by fingerprint sensor because

Answer 1

UPDATE: This is a known issue with Android 8.0 https://issuetracker.google.com/issues/65578763

I'm just now seeing this error on Samsung and appears to be caused when adding a new fingerprint. In our code we expect KeyPermenantlyInvalidatedException to be thrown during signature.initSign(). This doesn't occur and the initialized signature is successfully passed inside the CryptoObject to the FingerprintManager. The fingerprint is then successfully verified and onAuthenticationSucceeded is called. The error occurs when attempting to call signature.update(byte[] bytes).

Expected behavior I would believe is that KeyInvalidatedException is actually thrown, but I'm not sure we can ever expect this to be resolved. My solution is to catch it in the onAuthenticationSucceeded side.

@Override
    public void onAuthenticationSucceeded(FingerprintManager.AuthenticationResult result) {
        Log.d(LOG_TAG, "Device Authentication Succeeded");
        try {
            Signature signature = result.getCryptoObject().getSignature();
            String authData = getAuthData();
            signature.update(authData.getBytes());
            // do something with signature

        } catch (SignatureException e) {
            Log.d(LOG_TAG, e.getMessage());
            if(e.getMessage() != null && e.getMessage().contains("Key user not authenticated")) {
                // handle as if were KeyPermanentlyInvalidatedException
            } else {
                Log.d(LOG_TAG, e.getMessage());
                // handle as regular error
            }
        }
    }

Answer 2

I experienced this issue too. In my case, it was due to the fact that I was accidentally starting two concurrent fingerprint authentications by calling FingerprintManager.authenticate() twice. The error disappeared once I removed the second call.

Answer 3

As I don't expect that the mentioned manufacturers will fix this issue soon, I've resolved it by setting the KeyGenParameterSpec.setUserAuthenticationRequired(false) for Samsung, OnePlus, Asus and some other devices.

Answer 4

I also had this issue when using RSA and could solve it by creating a copy of the public key as soon as i want to encrypt some data.

// create a copy of the public key -> workaround for android.security.KeyStoreException: Key user not authenticated
val publicKey = KeyFactory
    .getInstance("RSA")
    .generatePublic(X509EncodedKeySpec(keyPair.public.encoded))

// encrypt with the public key
val cipher = Cipher.getInstance("RSA/ECB/PKCS1Padding")
cipher.init(Cipher.ENCRYPT_MODE, publicKey)
val encryptedData = cipher.doFinal(data)

Answer 5

I also had this issue when using Samsung Galaxy S8 with android 8. For solve this problem I just remove key from keystore and generate new after that use new key for encrypt and decrypt data

try {
    keyStore.deleteEntry(KEY_ALIAS);
} catch (KeyStoreException e) {
    e.printStackTrace();
}

Answer 6

It works on my Samsung Galaxy S8 by explicitly setting the authenticated key's validity duration:

setUserAuthenticationValidityDurationSeconds(10);

This however makes it technically possible to use the key multiple times within that timespan without requiring further user authentication.

Personally I don't think it's such a big risk.

I have not tested encrypting large streams that may take several seconds to complete using these protection measures. I wonder what happens if the encryption task takes longer than what the validity duration allows.