Reputation: 1714
Using the Android KeyStore to store user authentication credentials
I am experimenting with user authentication methods (fingerprint to be exact) and I'm also looking into the Android KeyStore. I am trying to build a system that allows the user to set up a fingerprint that will log a user in to my server. Currently, the server requires a POST request which requires a valid username/password combo.
I have a few questions about how this will work, because I have only a beginner's understanding of how the Fingerprint API and KeyStore work.
1) When I am prompting for a fingerprint and get a successful response back (which is easy enough to accomplish) - How can I translate that to a valid username/password so I can kick off my POST request? Do I need to store both the username and password into the KeyStore?
2) How exactly would that look when I am setting up the KeyStore? Would I need to set an alias for both the username and password? "myapp_user", "myapp_pass" for example?
3) How can I store the values for username and password into the KeyStore?
4) Am I even approaching this problem the right way? Is there a better way to link a fingerprint to a username/password combination securely?
Thank you for any help!
Upvotes: 5
Views: 6360
Answers (2)
Reputation: 157
I have the same kind of requirement.Below are the steps.
- While registering for fingerprint option user will be providing the username password and then the fingerprint.
- We need to generate key in android store and pass that to server(username, password and the key generated).
- In server they will save this key corresponding to the username and password.
- Whenever the user tries to login with finger pint, from client side we need to take the key once fingerprint authentication is successful and pass that to server.
- In server they will check the table row(server DB) in which that key is already been saved and will use that corresponding username and password.
My doubt is will that key remains the same. We are passing the key to server side while registering for fingerprint t along with username password. So if again when the user tries to login and creates a key will it remain the same.
Upvotes: 0
Reputation: 42710
The general process for using the AndroidKeystore is that you generate a key in the AndroidKeyStore. That key will never leave the keystore (can't be exported) but you can use it as long as you use specific algorithms (not all are supported). You can see here which Android version supports what encryption type.
On Android API 23+ you can directly generate an AES key (in der AndroidKeyStore) and use that AES key for encrypting your use data like the user credentials you mentioned.
Before API23 additional steps are required: First generate an RSA key in the AndroidKeyStore, then generate an random AES key outside of the AndroidKeystore (as AES inside is not supported). Then encrypt the generated AES key with the RSA key you have generated in the AndroidKeyStore and save the encrypted AES key into the private app data directory.
Afterwards you can like in option 1 encrypt the user credentials with the generated AES key.
Upvotes: 3
Related Questions
- Register user fingerprint in an android application
- Storing private keys in keystore in Android
- Store user credentials in Android keystore/keychain
- Where to store user credentials when using fingerprint authentication in Android
- Retrieving a users credentials (username & password) via a android keystore with fingerprint
- Storing credentials in the Android app
- How to get key from keystore on successful fingerprint auth
- Android Fingerprint Authentication with Signature
- Storing keys in Android
- Android - Storing private keys in keystore