Merge pull request #557 from /issues/556-face-biometric

Fix #556: Document limitations of facial authentication on Android
wultra · Sep 22, 2023 · b7dc088 · b7dc088
2 parents cb40343 + 6684f4e
commit b7dc088
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/docs/PowerAuth-SDK-for-Android.md b/docs/PowerAuth-SDK-for-Android.md
@@ -1811,6 +1811,16 @@ powerAuthSDK.authenticateUsingBiometrics(context, fragment, "Sign in", "Use the
 Note that if the biometric authentication fails with too many attempts in a row (e.g. biometry is temporarily or permanently locked out), then PowerAuth SDK will generate an invalid biometry factor related key and the success is reported. This is an intended behavior and as the result, it typically lead to unsuccessful authentication on the server and increased counter of failed attempts. The purpose of this is to limit the number of attempts for attacker to deceive the biometry sensor.
 <!-- end -->
 
+### Facial Biometrics on Android
+
+Currently, facial authentication only works with several Android device models. This is because to implement facial authentication securely, the PowerAuth SDK needs to protect the biometry-related key in the Android Keystore with a biometric sensor. This type of secure storage is only supported on devices with the `BIOMETRIC_STRONG (class 3)` sensor type, as explained in the official documentation:
+
+- https://source.android.com/docs/security/features/biometric
+
+The Android source codes contain a list of devices with strong biometry support.
+
+- [biometric/biometric/src/main/res/values/devices.xml](https://cs.android.com/androidx/platform/frameworks/support/+/androidx-main:biometric/biometric/src/main/res/values/devices.xml;l=81)
+
 ### Biometry Factor-Related Key Lifetime
 
 By default, the biometry factor-related key is invalidated after the biometry enrolled in the system is changed. For example, if the user adds or removes the finger or enrolls with a new face, then the biometry factor-related key is no longer available for the signing operation. To change this behavior, you have to provide `PowerAuthKeychainConfiguration` object with `linkBiometricItemsToCurrentSet` parameter set to `false` and use that configuration for the `PowerAuthSDK` instance construction: