Disclaimer: First of all I'm not an Android developer but a security professional.
My company wants to implement fingerprint authentication in its Android app and I'm wondering if there is any way to log the failed authentication attempts in the application?
According to my current understanding after the application calls the fingerprint authentication API of the OS it does not see how many times the user failed to provide a valid fingerprint, it only waits for a callback containing the key extracted from the keystore in case of successful authentication or a "fingerprint authentication canceled" message if the user decides not to use the fingerprint authentication and fall back to PIN authentication instead (let's suppose that this is implemented).
Yes, there's a way to log failed authentication attempts inside your application. You can use the authenticate method from the FingerprintManager class. Then, using an instance of the AuthenticationCallback you can log to any analytics platform (Firebase, for example) the events for each one of the callbacks. Or you can just log them on your own servers.
There are three other callbacks aside from onAuthenticationSucceeded:
onAuthenticationError
For fatal errors such as timeouts/lockouts.
onAuthenticationFailed
For non-fatal errors where a fingerprint was aquired but not recognized.
onAuthenticationHelp
For non-fatal errors where a fingerprint couldn't be aquired, e.g. the sensor is dirty or the user didn't keep the finger steady.
Related
I have the following question:
We implement some different LMS and we are wondering if and how could be possible to have a SCORM (hosted into an LMS) asking the user to authenitcate to an external authentication system (other than the one of the LMS itself where the SCORM learning object is available) as first action when launched the SCORM; if this authentication fail, the user must be not enable to take that learing; in other words we are wondering to understand if it is possible to implement a sort of two factors authentication method where factor-1 is the login to the LMS, factor-2 is the “login” requested by the specific scorm; this factor-2 managed by the external authentication system could be, for istance, an OTP code or an electronical identity card, or any other similar strong authentication factors with the scope to enable or not that user to take that SCORM content.
Thanks a lot
Daniele
There's no mechanism in SCORM for authentication. A SCO (a learning object or activity) generally assumes it is authenticated by default.
There are two solutions depending on what part you have control over:
The LMS could handle the external authentication flow and only deliver the SCO when that authentication succeeds.
The SCO could handle the external authentication (and persist this state e.g. in a cookie or local storage) and delay initialization with the RTE until the authentication has succeeded.
Note that SCOs are executed entirely in the browser so any authentication logic will have to run in the browser and be able to communicate with the external authentication system and a sufficiently technical user would be able to access the source code.
I'm building an Ionic app which uses the Fingerprint AIO native plugin.
When using the plugin, and successfully authenticating using my fingerprint, the plugin returns a generated string, which is different each time authentication is successful.
My question is this: Is there a way to use this string to authenticate with a database?
Or more broadly speaking, what are the concepts or best practices when authenticating using a fingerprint?
My first though was to store that generated string and perform a check against my database, however this seems invalid because the string is different each time.
Any help would be appreciated :)
I don't known Fingerprint AIO.
On iOS or Android, when you ask a user to identify with biometric, you only obtain success or failed.
When success, it prove that current fingerprint is fingerprint of smartphone owner. So in your app when fingerprint match is succeed when user could access secured data or functionality.
On android you could save key in keystore and protect it by fingerprint: https://android-developers.googleblog.com/2015/10/new-in-android-samples-authenticating.html
I have no interest in authenticating my clients as they are.
I do, however, want to make sure that anyone reaching my FireBase is authorized. Namely, that it's only via my Android app.
Could it be done somehow? I couldn't find any option or alternative in FireBase documentation.
The best approach I see is to have my app signed by a certificate, and aithorize itself using it.
To authenticate your app, use FCM (but regretably, it requires a server code):
Create an anonymous firebase account.
send an FCM message to your server, with the firebase account uid.
the server will create a node such as /uids/$uid/enabled.
have a rule to require it, e.g.:
".read" : "root.child('uids').child(auth.uid).child('enabled').val() == true"
The reason for the FCM message, is that in order to send such a message, the app should be "registered", which means the developer's signing certificate for the app is known. anyone attempting to send such an FCM message and not through your app will fail - even if someone re-sign (and probably modify) your app.
The drawback is, of course, you need your server to receive FCMs - which is very easy on the device, but harder on the server side.
I have two questions here which will be dependent on each other.
what happens after app authenticity and if its successful will the server send back a validation I'd to app. ?
If app gets the validation I'd .
I want to send it to my web server and on each call I want to send this validation I'd to adapter level to check if the validation I'd is valid.
what happens after app authenticity and if its successful will the app send back a validation I'd to app. ?
Please review the authenticity tutorial, which explains how authenticity works: https://developer.ibm.com/mobilefirstplatform/documentation/getting-started-7-1/foundation/authentication-security/application-authenticity-protection/
Authenticity check is done on the application. Not on the adapter.
The check happens at the first time the application attempts to connect to the server. If it fails you will no longer be able to run the app again unless it is removed and re-installed.
I want to send it to my web server and on each call I want to send this validation I'd to adapter level to check if the validation I'd is valid.
Per my explanation above, this is irrelevant.
I am developing a BlackBerry application in which I need to use PUSH API. I already have registered with RIM and they have sent me the credentials for evaluation service. In my BlackBerry device, I installed sample push API application just to test that the push messaging works. After setting the content provider URL which is publicly accessible, I entered all the details for the sample application to register the it for receiving notification messages. When trying to register it asks for username and password but I don't know what they are for. In the email received from RIM, there are passwords for server application and content provider admin portal applications but not for the push client.
When I added an arbitrary username and password it fails with the message that java.lang.Exception Registration with Push API failed, caused by port is unavailable. But when I unregister it successfully unregisters the user with the given arbitrary username and password. By the I use the port given in the RIM's email.
I have no idea why this happens and I appreciate immediate response from you. Thank you.
The first thing to point out is that the RIM sample push application is ridiculously overcomplicated. The username and password you are referring to are used to authenticate against the sample push initiator web application which runs on your tomcat server. It doesn't matter what you put in there, they are not used for authentication. I can only assume they were added to show you that you can send a username and password to a web based service.
The only things you need in your BlackBerry app to register for the push service are:
Push Application ID (e.g. 2672-c870l6c924r1i298O4o33cc5391y0e75134)
Push Port (e.g. 31940)
BlackBerry Push Server URL (e.g. http://pushapi.eval.blackberry.com)
The port is unavailable message you're receiving is probably because the device you're using has not been provisioned for BlackBerry Internet Services (BIS). Make sure it has a SIM with an active BlackBerry data plan.