I've got an app that uses BiometricPrompt to implement biometric based authentication. I've noted that some devices offer Iris/Face recognition as an option alongside fingerprint scan.
I want my app to only allow fingerprint scanning. It it possible to only allow this? Alternatively, would it be possible to determine what method the user selected to authenticate so I could deny the request in my callback code?
My worry is invalid.
Here's the offical word:
While both strong and weak biometrics will be allowed to unlock a device, weak biometrics:
Require the user to re-enter their primary PIN, pattern, password or a strong biometric to unlock a device after a 4-hour window of inactivity, such as when left at a desk or charger. This is in addition to the 72-hour timeout that is enforced for both strong and weak biometrics.
Are not supported by the forthcoming BiometricPrompt API, a common API for app developers to securely authenticate users on a device in a modality-agnostic way.
Can't authenticate payments or participate in other transactions that involve a KeyStore auth-bound key.
Must show users a warning that articulates the risks of using the biometric before it can be enabled.
These measures are intended to allow weaker biometrics, while reducing the risk of unauthorized access.
https://android-developers.googleblog.com/2018/06/better-biometrics-in-android-p.html