How to handle biometrics with a password?

Question

My app requires a password to use. The user enters their password first time they open the app, I send the password to the server side and they do the usual hashing+salting routine. Next time the user enters the password, I send it to the back-end to verify and send me a temporary token to be used for further queries. It works fine.

Now I want the user to be able to sign in with biometrics (fingerprint, etc). Android handles that and lets me know if the user passed the biometric authentication. But then I don't have the password to send to the back-end and get the token. How do I handle that? I suppose I could store the password and send that if biometric auth passes, but that sounds like a massive security vulnerability. I could encrypt the password, but that creates the issue of storing the encryption key.

My question is, what is the usual way to handle biometric sign in like this? Is there a secure way to store passwords so it's only visible to my application? SharedPreferences can be bypassed with root access, so that's probably not an option. Detecting rooted phones is also not reliable with "systemless root" and such.

Answer 1

I combined the suggestions in comments and stored sensitive information in EncryptedSharedPreferences and stored the key for that in AndroidKeyStore. It works fine, the only probelm is that the MasterKey required for EncryptedSharedPreferences doesn't work on API 22 and 21. Here is a workaround, but I don't know how secure it is.

Seems like it can still be bypassed if the phone is rooted, but now it's more difficult.