[Feature] Encrypt device biometrics for authenticating Saved Logins

[PranavBhattarai]

Why I'm asking for this? Let's give a real-life scenario where using device fingerprint is really bad:

• How hard it is for your friend/anyone-close/hacker/cctv to notice your four-digit pin?

People can add fingerprints if they know the user's device pin, which is not a good thing.

I think it would be great if Firefox keeps fingerprint within itself, especially when doesn't have the option of master password for mobile anymore. Like how some banking application keep user fingerprint to themself for next login after when the device is registered.

A discussion made here in reddit about this issue.

┆Issue is synchronized with this Jira Task

[jonalmeida]

It's not possible for any app to actually read directly from the fingerprinter reader, nor should we do this if it was possible. There is nothing more secure that we can do with that data than the OS can.

People can add fingerprints if they know the user's device pin, which is not a good thing.

Also mentioned in the Reddit thread, If someone knows your PIN, all bets are off. You should immediately change your PIN if that is the case. If you have a shared device, consider using multiple profiles for each user.

I'm going to close this as WONTFIX. We can re-open it if I've misunderstood the intention.

[PranavBhattarai]

@jonalmeida

But doesn't that make Masterpassword for Desktop computer pointless? Because, "If someone knows your PIN of computer, all bets are off. You should immediately change your PIN if that is the case."

Or should we bring back the Masterpassword to Firefox mobile? Because it is one of the safest way to Firefox could protect its own product (Lockwise).

[jonalmeida]

Because, "If someone knows your PIN of computer, all bets are off.

To a degree, yes, this is true. I am not a member of the security team on desktop but that is my understanding at least.

For Android, you are not limited to only a four-digit pin. Android devices 5.0+ should all have options for a PIN, Password, or Pattern: https://support.google.com/android/answer/9079129?hl=en

[PranavBhattarai]

@jonalmeida I think people should know:

1. "Bring master password" =! "remove current bio-metrics authentication structure". ======> which depend on Android security
2. "you are not limited to only a four-digit pin" ======> which depend on Android security

What Firefox is doing for its own Lockwise security?
Why its completely need to depend on Android security?
Why Firefox isn't trying protect themself!?

I'm not saying, don't depend/trust on Android security.
All I'm saying is don't fully depend/trust on Android security. Have some faith in your own security mechanism too.