Secure Your Android App: Implementing Biometric Authentication

Security is a cornerstone of modern mobile development. Users expect to access their sensitive data quickly without compromising safety. Moving away from manual PIN entry to biometric authentication—like fingerprint or facial recognition—is the standard. In Android, the BiometricPrompt API is the most secure and consistent way to achieve this.

Why BiometricPrompt?

In the past, developers had to manage different APIs for different hardware. BiometricPrompt provides a unified, system-provided UI that builds trust with the user. It handles the underlying hardware complexities and ensures that your app never sees the actual biometric data, maintaining user privacy.

Step 1: Adding Dependencies and Permissions

First, ensure you have the necessary library in your build.gradle file. The AndroidX Biometric library ensures backward compatibility.

dependencies {
    implementation("androidx.biometric:biometric:1.2.0-alpha05")
}

You also need to declare the biometric permission in your AndroidManifest.xml:

<uses-permission android:name="android.permission.USE_BIOMETRIC" />

Step 2: Checking for Biometric Availability

Before showing the prompt, you must verify if the device supports biometric hardware and if the user has enrolled their data. We use BiometricManager for this check.

val biometricManager = BiometricManager.from(this)
when (biometricManager.canAuthenticate(BIOMETRIC_STRONG)) {
    BiometricManager.BIOMETRIC_SUCCESS -> 
        // Device is ready to use biometrics
    BiometricManager.BIOMETRIC_ERROR_NO_HARDWARE -> 
        // No biometric features available
    BiometricManager.BIOMETRIC_ERROR_NONE_ENROLLED -> 
        // User hasn't set up biometrics
}

Step 3: Creating the Authentication Callback

The callback handles the result of the authentication attempt. It provides three main functions: success, failure (wrong finger), and error (lockout or hardware issues).

val executor = ContextCompat.getMainExecutor(this)
val authenticationCallback = object : BiometricPrompt.AuthenticationCallback() {
    override fun onAuthenticationSucceeded(result: BiometricPrompt.AuthenticationResult) {
        super.onAuthenticationSucceeded(result)
        // Proceed to the secure part of your app
    }

    override fun onAuthenticationError(errorCode: Int, errString: CharSequence) {
        super.onAuthenticationError(errorCode, errString)
        // Handle error (e.g., show a toast)
    }
}

Step 4: Launching the Prompt

Now, you can build the PromptInfo and show the dialog to the user. This is where you define the title and description the user will see.

val biometricPrompt = BiometricPrompt(this, executor, authenticationCallback)

val promptInfo = BiometricPrompt.PromptInfo.Builder()
    .setTitle("Biometric Login")
    .setSubtitle("Log in using your biometric credential")
    .setNegativeButtonText("Use Password")
    .setAllowedAuthenticators(BIOMETRIC_STRONG)
    .build()

biometricPrompt.authenticate(promptInfo)

Best Practices

Always provide a fallback. Not every user wants to use biometrics, and hardware can fail. Ensure your "Negative Button" allows users to enter their traditional password or PIN. Additionally, never store biometric success state as a simple boolean in SharedPreferences; for high-security apps, use the CryptoObject to encrypt local data upon successful authentication.

By following this guide, you provide a seamless and secure experience that aligns with modern Android standards.