Skip to content

Commit 3455777

Browse files
authored
Merge pull request #91 from Lukhaas25/fix-android-weak-biometric-availability
fix(android): report weak-only biometrics as unavailable for strong auth
2 parents c9c49ad + bd75d8d commit 3455777

3 files changed

Lines changed: 28 additions & 19 deletions

File tree

README.md

Lines changed: 11 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -484,21 +484,21 @@ Get the native Capacitor plugin version.
484484

485485
Result from isAvailable() method indicating biometric authentication availability.
486486

487-
| Prop | Type | Description |
488-
| ------------------------------- | ------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
489-
| **`isAvailable`** | <code>boolean</code> | Whether authentication is available (biometric or fallback if useFallback is true) |
490-
| **`authenticationStrength`** | <code><a href="#authenticationstrength">AuthenticationStrength</a></code> | The strength of available authentication method (STRONG, WEAK, or NONE) |
491-
| **`biometryType`** | <code><a href="#biometrytype">BiometryType</a></code> | The primary biometry type available on the device. On Android devices with multiple biometry types, this returns MULTIPLE. Use this for display purposes only - always use isAvailable for logic decisions. |
492-
| **`deviceIsSecure`** | <code>boolean</code> | Whether the device has a secure lock screen (PIN, pattern, or password). This is independent of biometric enrollment. |
493-
| **`strongBiometryIsAvailable`** | <code>boolean</code> | Whether strong biometry (Face ID, Touch ID, or fingerprint on devices that consider it strong) is specifically available, separate from weak biometry or device credentials. |
494-
| **`errorCode`** | <code><a href="#biometricautherror">BiometricAuthError</a></code> | Error code from <a href="#biometricautherror">BiometricAuthError</a> enum. Only present when isAvailable is false. Indicates why biometric authentication is not available. |
487+
| Prop | Type | Description |
488+
| ------------------------------- | ------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
489+
| **`isAvailable`** | <code>boolean</code> | Whether authentication is available. On Android, `verifyIdentity()` uses a `CryptoObject` backed by `BIOMETRIC_STRONG`, so weak-only biometric methods such as some face unlock implementations are reported via `biometryType`/`authenticationStrength` but do not make this value `true`. If `useFallback` is true, PIN/pattern/password can make this value true. |
490+
| **`authenticationStrength`** | <code><a href="#authenticationstrength">AuthenticationStrength</a></code> | The strength of available authentication method (STRONG, WEAK, or NONE) |
491+
| **`biometryType`** | <code><a href="#biometrytype">BiometryType</a></code> | The primary biometry type available on the device. On Android devices with multiple biometry types, this returns MULTIPLE. Use this for display purposes only - always use isAvailable for logic decisions. |
492+
| **`deviceIsSecure`** | <code>boolean</code> | Whether the device has a secure lock screen (PIN, pattern, or password). This is independent of biometric enrollment. |
493+
| **`strongBiometryIsAvailable`** | <code>boolean</code> | Whether strong biometry (Face ID, Touch ID, or fingerprint on devices that consider it strong) is specifically available, separate from weak biometry or device credentials. |
494+
| **`errorCode`** | <code><a href="#biometricautherror">BiometricAuthError</a></code> | Error code from <a href="#biometricautherror">BiometricAuthError</a> enum. Only present when isAvailable is false. Indicates why biometric authentication is not available. |
495495

496496

497497
#### IsAvailableOptions
498498

499-
| Prop | Type | Description |
500-
| ----------------- | -------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
501-
| **`useFallback`** | <code>boolean</code> | Only for iOS. Specifies if should fallback to passcode authentication if biometric authentication is not available. On Android, this parameter is ignored due to BiometricPrompt API constraints: DEVICE_CREDENTIAL authenticator and negative button (cancel) are mutually exclusive. |
499+
| Prop | Type | Description |
500+
| ----------------- | -------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
501+
| **`useFallback`** | <code>boolean</code> | Whether passcode or device credentials should count toward biometric availability when no biometric is enrolled or available. - On iOS, this affects both `isAvailable()` and `verifyIdentity()`. - On Android, this is honored by `isAvailable()` only — the native check computes `fallbackAvailable = useFallback && deviceIsSecure` and reports availability accordingly. The `verifyIdentity()` flow ignores this option on Android due to BiometricPrompt API constraints (DEVICE_CREDENTIAL authenticator and negative button are mutually exclusive); use <a href="#biometricoptions">`BiometricOptions.useFallback`</a> (iOS-only) to control the auth-dialog fallback there. |
502502

503503

504504
#### PluginListenerHandle

android/src/main/java/ee/forgr/biometric/NativeBiometric.java

Lines changed: 0 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -129,9 +129,6 @@ private JSObject checkBiometryAvailability(boolean useFallback) {
129129
if (hasStrongBiometric) {
130130
authenticationStrength = AUTH_STRENGTH_STRONG;
131131
isAvailable = true;
132-
} else if (hasWeakBiometric) {
133-
authenticationStrength = AUTH_STRENGTH_WEAK;
134-
isAvailable = true;
135132
} else if (fallbackAvailable) {
136133
authenticationStrength = AUTH_STRENGTH_WEAK;
137134
isAvailable = true;

src/definitions.ts

Lines changed: 17 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -63,10 +63,16 @@ export interface Credentials {
6363

6464
export interface IsAvailableOptions {
6565
/**
66-
* Only for iOS.
67-
* Specifies if should fallback to passcode authentication if biometric authentication is not available.
68-
* On Android, this parameter is ignored due to BiometricPrompt API constraints:
69-
* DEVICE_CREDENTIAL authenticator and negative button (cancel) are mutually exclusive.
66+
* Whether passcode or device credentials should count toward biometric availability
67+
* when no biometric is enrolled or available.
68+
*
69+
* - On iOS, this affects both `isAvailable()` and `verifyIdentity()`.
70+
* - On Android, this is honored by `isAvailable()` only — the native check computes
71+
* `fallbackAvailable = useFallback && deviceIsSecure` and reports availability
72+
* accordingly. The `verifyIdentity()` flow ignores this option on Android due to
73+
* BiometricPrompt API constraints (DEVICE_CREDENTIAL authenticator and negative
74+
* button are mutually exclusive); use `BiometricOptions.useFallback` (iOS-only) to
75+
* control the auth-dialog fallback there.
7076
*/
7177
useFallback: boolean;
7278
}
@@ -76,7 +82,13 @@ export interface IsAvailableOptions {
7682
*/
7783
export interface AvailableResult {
7884
/**
79-
* Whether authentication is available (biometric or fallback if useFallback is true)
85+
* Whether authentication is available.
86+
*
87+
* On Android, `verifyIdentity()` uses a `CryptoObject` backed by
88+
* `BIOMETRIC_STRONG`, so weak-only biometric methods such as some face unlock
89+
* implementations are reported via `biometryType`/`authenticationStrength`
90+
* but do not make this value `true`.
91+
* If `useFallback` is true, PIN/pattern/password can make this value true.
8092
*/
8193
isAvailable: boolean;
8294
/**

0 commit comments

Comments
 (0)