New & Improved Fingerprint Authentication in Android Apps


Google released the new BiometricPrompt as a replacement for FingerprintManager last September. We decided to test out whether we would be able to integrate it in our Android library which simplifies fingerprint authentication, called the Goldfinger–and whether a library like Goldfinger would even be necessary with the new API.

FingerprintManager vs. BiometricPrompt

During Google I/O ’18, Google announced BiometricPrompt which is used as a replacement for FingerprintManager. BiometricPrompt should choose the most appropriate biometric (fingerprint, face, iris) and display system dialog so that users have consistent behavior across all applications.

BiometricPrompt was introduced as an Android P feature, but Google also mentioned backwards-compatible BiometricPrompt, similar to how FingerprintManager and FingerprintManagerCompat behave.

Google finally released the first alpha version of androidx.biometrics library last September. While we expected the development of the library to be fast, it was stuck in the alpha version for almost a year. There was even an issue open!

At last, they released the beta1 version in August. We tested the beta1 version and were quite happy with how it works. There are several smaller issues, but those should be resolved by the time a stable version is released, hopefully.

Replacing FingerprintManager in Goldfinger

Two years ago, we created an Android library that simplifies Fingerprint authentication called Goldfinger. Our library was using deprecated FingerprintManager to that point, so we wanted to test out if we would be able to integrate BiometricPrompt in it, and whether a library like Goldfinger would even be neccessary with the new API.

We came to the conclusion that BiometricPrompt and FingerprintManager APIs are almost the same. The biggest improvement over FingerprintManager is that you don’t even need to know what CryptoObject is if you need simple user authentication without data encryption.

All other complexities regarding user authentication are still there–CryptoObject creation if a cipher is needed, cancel dispatched as an error after the developer invokes cancel himself, save and restore initialization vector, and others. For all those reasons, we decided to refactor Goldfinger’s internals to use the new BiometricPrompt API.

Welcome Goldfinger 2.0

Nowadays, Goldfinger API uses BiometricPrompt and has a new API that requires Goldfinger.PromptParams instance. Goldfinger.PromptParams are constructed via a builder pattern and you give it all values that are required for constructing BiometricPrompt. Afterwards, Goldfinger encapsulates all biometric complexities for you.

It creates CryptoObject asynchronously, starts biometric authentication, saves and restores initialization vector, handles weird edge cases introduced by on-screen fingerprint scanners, handles all system exceptions and returns them in a single callback, as well as offers you a separate Rx module.

Feedback is welcome

The current version is still a release candidate so we are looking for potential improvements and suggestions from the community. We plan on releasing the final, stable version as soon as androidx.biometrics leaves beta–feel free to drop us a comment, suggestion or even a pull request so that we can prepare Goldfinger 2.0 to be the best possible.