A client recently added fingerprint authentication as an alternative form of signing in to their application which stores sensitive data.
Of course, the username and password are verified before allowing fingerprint authentication.
But this and other applications I've tested have had one major flaw which no one seems to talk about. All enrolled fingerprints on the phone are also allowed to have access to user accounts on the application. This means if I add my wife's fingerprint on my phone for some reason or the other, and I allow unlocking my banking application via my fingerprint, My wife is able to sign in freely to my banking application and perform operations on my behalf!
My question is, is there a way to bolster this feature for applications built to run on Android? Can developers integrate selecting what fingerprint (out of the multiple stored on the phone) is actually allowed access to user accounts?
CodePudding user response:
No. The purpose of in-app biometric authentication is to verify that you own the device, not to identify the user because it is assumed that if there are more than one owners, each one of them will have their separate user account created by android Multiple users feature. Multiple users have their own personal space for custom home screens, accounts, apps, settings and more. If the device is enrolled with multiple biometrics under the same account, the device will assume the ownership whoever successfully authenticates with its biometrics.