Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature request: Add Biometric Authentication Process as an Option #615

Closed
ttorii20 opened this issue Sep 19, 2023 · 7 comments
Closed

Feature request: Add Biometric Authentication Process as an Option #615

ttorii20 opened this issue Sep 19, 2023 · 7 comments

Comments

@ttorii20
Copy link

I am interested in adding a biometric authentication process for storage access authentication on each platform. Specifically, I'd like to introduce an option that requires biometric authentication when accessing the keychain on iOS and the keystore on Android.

Currently, flutter_secure_storage does not have such a feature, and there's no way to set this as an option. I believe adding the ability to set a biometric authentication process as an option would be beneficial.

Differences Across Platforms

The method of requesting biometric authentication from the user varies by platform. On iOS, the keychain handles the responsibility of controlling the biometric authentication dialog. In contrast, the Android keystore does not. Therefore, it's necessary to handle errors and display the biometric authentication dialog when required on Android.

For Android:
I'd like to introduce options similar to setUserAuthenticationRequired and setUserAuthenticationValidityDurationSeconds. Here's a snippet to illustrate the desired functionality:

  private SharedPreferences initializeEncryptedSharedPreferencesManagerAuthenticationRequired(Context context,
            int authenticationValidityDurationSeconds) throws GeneralSecurityException, IOException {
        MasterKey key = new MasterKey.Builder(context, masterKeyAlias)
                .setKeyGenParameterSpec(
                        new KeyGenParameterSpec.Builder(masterKeyAlias,
                                KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT)
                                .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE)
                                .setBlockModes(KeyProperties.BLOCK_MODE_GCM)
                                .setKeySize(256)
                                .setUserAuthenticationRequired(true)
                                .setUserAuthenticationValidityDurationSeconds(
                                    authenticationValidityDurationSeconds
                                )
                                .setInvalidatedByBiometricEnrollment(true)
                                .build())

For iOS:
I'd like to introduce an option to set SecAccessControlCreateFlags.biometryCurrentSet for the keychain. Here's a snippet to illustrate the desired functionality:


if let accessControl = accessControl {
    var secAccessControlCreateFlags: SecAccessControlCreateFlags
    // ... other code ...
    }  else if accessControl == "biometryCurrentSet" {
        secAccessControlCreateFlags = SecAccessControlCreateFlags.biometryCurrentSet
    }  else {
        abort()
    }
    // ... other code ...
    accessControlCreateWithFlags = SecAccessControlCreateWithFlags(kCFAllocatorDefault,
                                                                           attrAccessible,
                                                                           secAccessControlCreateFlags,
                                                                           &error)
 // ... other code ...
    var keychainQuery = baseQuery(key: key, groupId: groupId, accountName: accountName, synchronizable: synchronizable, returnData: nil, accessControl: accessControlCreateWithFlags)
   // ... other code ...
   return SecItemAdd(keychainQuery as CFDictionary, nil)

}

Anticipated Use Case

The primary use case I envision is during user login, where biometric authentication is performed to access the necessary information for authentication.
@MacOMNI
Copy link

MacOMNI commented Oct 2, 2023

That is a good idea!!

@bogdannedelcu
Copy link

@ttorii20 please add for Android also a flag to force the storage of the key on the TEE, not doing so would result in not creating the key. This is important for certification processes

@ttorii20
Copy link
Author

@bogdannedelcu
Thanks for bringing this up. Just to be sure, are you suggesting we add an IsStrongBoxBacked flag for Android? And if it's about beefing up security, should we roll this into the main stream instead of a fork?

@bogdannedelcu
Copy link

bogdannedelcu commented Dec 26, 2023 via email
edited
Loading

@u382514
Copy link

u382514 commented Feb 15, 2024

I second this and would love to see this sooner than later. Seems like the the current approach is to retrieve a simple true/false from biometrics (using local_auth package?) and using that as the sole trust to access secure storage for the data. I'd like to not just get a true/false but that secure storage cannot literally access the keychain/keystore unless biometric auth has opened it up.

@humphrey
Copy link

+1 for this.

@juliansteenbakker
Copy link
Owner

I am closing all older issues. If this issue still exists in the latest version, please let me know.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@humphrey @u382514 @MacOMNI @bogdannedelcu @ttorii20 @juliansteenbakker