I need to develop an Android app that has MFA authentication.
To log in, the user needs to first insert his username & password and then, biometric data (fingerprint, face, or iris) to confirm his identity.
I want to use something like Cognito to store the biometrics login but honestly, I can't really understand how I would do this.
Is this doable?
And if so, how?
The simple answer - you can't.
You can't pass biometric data that is being collected by the Android system(or iOs system), outside the phone.
Neither face/iris nor fingerprint can be decoded in some readable format and sent to the third-party service.
This is how the android system works. As far as I know, iOs works the same - you cannot retrieve this data. Moreover, you cannot change this behaviour of the system(only in a very custom Android ROM, I suppose, and it will be quite hard to achieve)
You can use fingerprint/iris/face unlock in your application though - you won't be sending anything to your servers, but you will be able to unlock the UI of your app - this is kinda general usecase as for now.
Well if being completely true - you can send something to the server - you can generate a secret key and encrypt it based on the biometric data and with the biometric auth you can decrypt it and send wherever you want. The secret wont represent an actual biometric info but it is something...(cognito supports custom auth flows - maybe you even be able to utilize this approach somehow)
Long story short - here is an official documentation about the biometric auth and biometric based encryption.
Here is a codelab example.
Here is a general schematics of how it all works.