Biometric authentication not working on Samsung Tablet(s)

[JeppeKlitgaard]

Description

Biometric authentication hangs forever when used with facial recognition of Samsung tablet.

System Setup

• Android version: 11
• Cryptomator version: v1.5.14 (2217)
• Cloud type: Google Drive (though not important here)
• Device: Samsung S6 Lite Tab

Steps to Reproduce

1. Enable biometric authentication for a vault in Cryptomator settings
2. Fill in correct password
3. Hangs forever on 'please wait'

Expected Behavior

Facial recognition as accepted biometric authentication.

OR

Suitable error message

Actual Behavior

Hangs forever, fails silently

Reproducibility

Always

Additional Information

log.txt

The relevant section seems to be:

I	20210420153625.458	BiomtricAuthSettngsPres	Password is correct
D	20210420153625.459	BiometricAuthentication	Show biometric auth prompt
E	20210420153625.476	CryptomatorApp	BaseErrorHandler detected a problem
io.reactivex.exceptions.UndeliverableException: The exception could not be delivered to the consumer because it has already canceled/disposed the flow or the exception has nowhere to go to begin with. Further reading: https://github.com/ReactiveX/RxJava/wiki/What's-different-in-2.0#error-handling | java.lang.RuntimeException: java.security.InvalidAlgorithmParameterException: java.lang.IllegalStateException: At least one biometric must be enrolled to create keys requiring user authentication for every use
	at io.reactivex.plugins.RxJavaPlugins.onError(RxJavaPlugins.java:367)
	at io.reactivex.android.schedulers.HandlerScheduler$ScheduledRunnable.run(HandlerScheduler.java:126)
	at android.os.Handler.handleCallback(Handler.java:938)
	at android.os.Handler.dispatchMessage(Handler.java:99)
	at android.os.Looper.loop(Looper.java:246)
	at android.app.ActivityThread.main(ActivityThread.java:8512)
	at java.lang.reflect.Method.invoke(Native Method)
	at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:602)
	at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:1130)
Caused by: java.lang.RuntimeException: java.security.InvalidAlgorithmParameterException: java.lang.IllegalStateException: At least one biometric must be enrolled to create keys requiring user authentication for every use
	at org.cryptomator.util.crypto.KeyStoreBuilder$KeyStoreBuilderImpl.withKey(KeyStoreBuilder.java:68)
	at org.cryptomator.util.crypto.KeyStoreBuilder$KeyStoreBuilderImpl.withKey(KeyStoreBuilder.java:52)
	at org.cryptomator.util.crypto.BiometricAuthCryptor.<init>(BiometricAuthCryptor.java:25)
	at org.cryptomator.util.crypto.BiometricAuthCryptor.getInstance(BiometricAuthCryptor.java:31)
	at org.cryptomator.presentation.util.BiometricAuthentication.startListening(BiometricAuthentication.kt:50)
	at org.cryptomator.presentation.ui.activity.BiometricAuthSettingsActivity.showBiometricAuthenticationDialog(BiometricAuthSettingsActivity.kt:80)
	at org.cryptomator.presentation.presenter.BiometricAuthSettingsPresenter.onPasswordCheckSucceeded(BiometricAuthSettingsPresenter.kt:134)
	at org.cryptomator.presentation.presenter.BiometricAuthSettingsPresenter.access$onPasswordCheckSucceeded(BiometricAuthSettingsPresenter.kt:24)
	at org.cryptomator.presentation.presenter.BiometricAuthSettingsPresenter$checkPassword$1.onSuccess(BiometricAuthSettingsPresenter.kt:76)
	at org.cryptomator.presentation.presenter.BiometricAuthSettingsPresenter$checkPassword$1.onSuccess(BiometricAuthSettingsPresenter.kt:72)
	at org.cryptomator.domain.usecases.vault.CheckVaultPasswordUseCase$Launcher$1.onNext(CheckVaultPasswordUseCase.java:91)
	at org.cryptomator.domain.usecases.vault.CheckVaultPasswordUseCase$Launcher$1.onNext(CheckVaultPasswordUseCase.java:77)
	at io.reactivex.internal.operators.flowable.FlowableObserveOn$ObserveOnSubscriber.runAsync(FlowableObserveOn.java:407)
	at io.reactivex.internal.operators.flowable.FlowableObserveOn$BaseObserveOnSubscriber.run(FlowableObserveOn.java:176)
	at io.reactivex.android.schedulers.HandlerScheduler$ScheduledRunnable.run(HandlerScheduler.java:124)
	... 7 more
Caused by: java.security.InvalidAlgorithmParameterException: java.lang.IllegalStateException: At least one biometric must be enrolled to create keys requiring user authentication for every use
	at android.security.keystore.AndroidKeyStoreKeyGeneratorSpi.engineInit(AndroidKeyStoreKeyGeneratorSpi.java:294)
	at android.security.keystore.AndroidKeyStoreKeyGeneratorSpi$AES.engineInit(AndroidKeyStoreKeyGeneratorSpi.java:63)
	at javax.crypto.KeyGenerator.init(KeyGenerator.java:519)
	at javax.crypto.KeyGenerator.init(KeyGenerator.java:502)
	at org.cryptomator.util.crypto.CryptoOperationsFromApi23.lambda$initializeKeyGenerator$0(CryptoOperationsFromApi23.java:49)
	at org.cryptomator.util.crypto.-$$Lambda$CryptoOperationsFromApi23$bXybC7y8JHHInnrrd3jHe7tJwJ4.createKey(Unknown Source:4)
	at org.cryptomator.util.crypto.KeyStoreBuilder$KeyStoreBuilderImpl.withKey(KeyStoreBuilder.java:65)
	... 21 more
Caused by: java.lang.IllegalStateException: At least one biometric must be enrolled to create keys requiring user authentication for every use
	at android.security.keystore.KeymasterUtils.addSids(KeymasterUtils.java:288)
	at android.security.keystore.KeymasterUtils.addUserAuthArgs(KeymasterUtils.java:352)
	at android.security.keystore.AndroidKeyStoreKeyGeneratorSpi.engineInit(AndroidKeyStoreKeyGeneratorSpi.java:292)
	... 27 more

See also: 1password discussion

What I have tried

• Reinstalling Cryptomator
• Readding face unlock
• Rebooting

(and various combinations of those)

I should stress that face unlock IS enabled and working on the tablet. The tablet does not have a fingerprint sensor.

I think this might be a Samsung-specific problem. Given the market share of Samsung, it might be worthwhile to provide a biometric implementation for these devices as well. I am not familiar with Android development, but I believe there is a Samsung Pass API which can be used.

The UX impact of this issue could also be reduced by implementing #13 or PIN/Pattern authentication. Currently I am stuck with entering my lengthy vault passwords every time, since my device does not have a fingerprint sensor and face unlock does not work :(

Even if Samsung biometrics are not going to be implemented, this shouldn't fail silently.

---

I am really enjoying Cryptomatic and I am super excited for the Document Provider feature and #13.

[mieszk3]

Facial recognition in Samsung is not a strong biometric according to Android CDD (https://source.android.com/security/biometric). You need to use a strong method which in Samsung is only a fingerprint.

[JeppeKlitgaard]

In that case the option for a PIN would be greatly appreciated, as some tablets (for example the Samsung S6 Tab Lite) does not have a fingerprint sensor.

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.