Biometric security has made it easy to keep our phones secure, which means most of us actually are doing it. It's easy to argue that your fingerprint or iris or a map of your head aren't as secure as a strong password or are your identity and not a passcode, but in the end, more people securing their phones is better for everyone. It's easy to understand why your bank wants you to secure your phone, but remember that some of your personal details are probably on someone else's phone, too.
We saw big changes to biometrics with Android 9. The introduction of the BiometricPrompt API tried to unify how different types of biometric authentication could function by providing a unified interface that worked with fingerprint scanners (both capacitive and ultrasonic), Iris scanning, and secure facial unlocking.
It was needed. Before the new APIs, developers had to use programming interfaces that weren't part of the operating system or build a workaround that used the standard fingerprint sensor APIs. Iris scanning depended on a Samsung SDK, Huawei's facial unlocking had its own programming interface, and so did HTC's. Android 10 made further changes so that everything — including the newly released Pixel 4 — could use a single way to authenticate without reinventing the wheel.
We saw how that worked. App developers were slow to adapt because of a couple of hurdles: the new programming interface still forced a direct query of the actual hardware and the system determined if it was "good enough" and not the people who actually wanted to include it in an app.
Enter Android 11. What seems like a simple change, the addition of defined authentication types, it's easier than ever for a developer to use any biometric hardware how they see fit.
Android now includes categories for weak, strong, and device credential biometric hardware. In Android 10 a developer could only use what Google defined as secure biometrics: fingerprint scanners, iris scanners, and true 3D facial recognition. That actually led to code being written to blacklist the most popular Android devices (Galaxy S8/Note 8, Galaxy S9/Note 9, Galaxy S10/Note 10) from using the BiometricPrompt API and forced the fallback to the old workarounds using the original fingerprint methods because of a bug. Having a shiny new way of doing things means little when most devices can't even use it.
Now when a developer wants to include biometric authentication, they can look to all methods — including those marked as "weak" — to see which fit their needs best. Maybe your bank wants to only allow authentication marked as strong (it probably does) so it can ignore things like Android's standard facial recognition or even force you to enter your unlock code or PIN after authenticating if they are extremely security-conscious (they probably don't, but maybe they should).
Alternatively, something like a secure photo browser can allow weaker authentication methods like regular photo-based facial unlocking or even in-between solutions that almost meet the "strong" criteria like HTC's depth-sensing facial unlock.
Once that's out of the way all an app needs to do is tell the BiometricPrompt API to show you a dialog and it's done. No more custom coding or third-party SDKs or doing everything by hand. And that's how it should be; when things become easy (or easier) for developers, we benefit.
See you on Android 11 very soon.
Have you listened to this week's Android Central Podcast?
Every week, the Android Central Podcast brings you the latest tech news, analysis and hot takes, with familiar co-hosts and special guests.
I have a Note 10 and Google Pay. On my old phone, with fingerprint but not facial recognition, Google Pay would come up and pay automatically if the phone were unlocked. Now, since I use facial recognition, it comes up and then asks me to authenticate with fingerprint or pattern even when the phone is unlocked to start with. Usually this means the cashier must re-submit the transaction to the payment terminal, which makes it an irritant for both them and me. Interestingly, if I use the Google Pay (with the additional authentication) it lets me purchase automatically on an unlocked phone for some amount of time - at least 15 minutes and maybe half an hour. If I unlock the phone with a fingerprint by holding the phone where it can't see my face, Google Pay works with just the unlocked phone - at least it did once. I don't know if this is normal or not, but if it is, then it would be nice if someone defined the different ways Google Pay would respond to various forms of authentication. If all I need to do is hold my phone away long enough to use fingerprint unlock, it would have saved me a lot of aggravation.
Google Pay requires a second factor, if the last method of unlocking the phone was insecure, like 2D optical face unlock or by a bluetooth trusted device. If the fingerprint sensor was used to unlock it, then the transaction does not require the second form of ID. And if you have your phone set to lock after 15 minutes, it should still work during that time if it was unlocked securely. What I do is unlock using the fingerprint sensor. And if I accidently unlocked the phone using face unlock, then I just lock it again and unlock with the fingerprint. As a side note, if you are connected to an insecure Wi-Fi, like public wireless, Google Pay will disable NFC payments.
Thanks for the info. I found that out by accident just a few days ago. Now if the fingerprint sensor would just work without having to lick my finger first I would be a happy camper.
Samsung's face unlock and face unlock on Android in general is inferior to Apple's Face ID on the iPhone. I know that's not what you want to hear but that's the fact, especially when I can't even be used for anything else except for unlocking your phone on Android and it isn't nearly as secure as Apple's Face ID either, Galaxy S10 anyone?
Hey Jerry, thanks for mentioning HTC. It's rare these days. Though, I wonder what the criteria is between insecure, almost secure, and secure is. HTC's 3D face mapping requires the same amount of work to bypass as Apple's Face ID, and is harder to bypass than the Pixel 4 face unlock. Not nitpicking; just genuinely curious from a technical perspective.
The fact is Apple got it right the first time with security and I know this will annoy the Android diehard fanboys on. Here but that's the reality and while Android has improved on the security front, it still trails behind iPhone in security.
Google needs to make the new APIs mandatory for developers. I've had my Pixel 4 XL for 4 1/2 months, and NONE of my banking apps (7 of them) are compatible with face unlock. Authy not compatible either. Only Lastpass has updated (thankfully!). All of these apps have had updates, but none have switched to the new API. Extremely frustrating!
Get the best of Android Central in in your inbox, every day!
Thank you for signing up to Android Central. You will receive a verification email shortly.
There was a problem. Please refresh the page and try again.