Locked biometric authenticator
The software-based biometric authenticators shipped with the Nevis Mobile Authentication SDK are dependent on the operating system on the device. The biometric capabilities (fingerprint scanning or facial recognition) of the device also dictate the behavior of the biometric authenticators. These authenticators forward any call that needs access to the biometrics to the operating system of the device. The system controls access to the biometric data. In some cases, it can also block access to the data. The biometric authenticators are locked until the system allows the use of the biometric capabilities of the device again. A locked authenticator cannot be used anymore for user verification, until it is unlocked. To unlock an authenticator, the system requires the user to provide their credential that is used for the device lock screen.
The decision logic to block access to the biometric capabilities differs from one device vendor to another. The biometric authenticators have no control over the implementation of this decision logic. The behavior on an iPhone is different from the behavior on Android. The logic also differs from one device model to another.
In any case, the SDK knows when an authenticator is locked, and informs the mobile application about this state. It is then the responsibility of the mobile application to provide a flow to unlock the authenticator.
Unlocking the authenticator must not be confused with user verification. Even if the user provides their credential to re-enable the biometric capabilities of the device, it does not replace the user verification process as required by the FIDO specifications. The biometric authenticator still goes through the user verification process, after the biometric capability is re-enabled. Keeping this in mind, a FIDO operation gets cancelled due to a locked authenticator, and the FIDO operation must be restarted from scratch.
There are two general ways to unlock a biometric authenticator:
- The mobile application implements functionality, to ask the user to provide their credential that is used with the device lock.
- The user locks the device, and unlocks it by providing their credential on the device lock.
The advantage of the first option is that the user does not have to exit the mobile application. Whereas the second option unlocks the biometric authenticator without additional development time and effort invested in the mobile application.