Error after Fingerprint touched on Samsung phones: android.security.KeyStoreException: Key user not authenticated

android encryption android-6.0-marshmallow fingerprint android-keystore

16,291

Solution 1

As I don't expect that the mentioned manufacturers will fix this issue soon, I've resolved it by setting the KeyGenParameterSpec.setUserAuthenticationRequired(false) for Samsung, OnePlus, Asus and some other devices.

Solution 2

Setting KeyGenParameterSpec.setUserAuthenticationRequired(false) can be a potential security issue. The above error should be handled similar to KeyPermanentlyInvalidatedException. KeyPermanentlyInvalidatedException is thrown on Cipher initialization if new fingerprints are added after your SecretKey is created. But, if the Cipher is initialized before the new fingerprints are added, you'll get the above KeyStoreException for Key User not authenticated, when you're trying to encrypt or decrypt with that Cipher.

It's easy to reproduce this error. While your app's fingerprint verification screen is in the background, try adding a new fingerprint. Now switch back to the app, and enter the fingerprint, the encryption or decryption methods would throw this error. I could resolve this issue by catching the exception and treating it the same way as KeyPermanentlyInvalidatedException.

Solution 3

Do NOT listen to the "setUserAuthenticationRequired(false)"

I have been able to reproduce this on Samsung by listening twice. What I think is happening is, you listen twice, authenticate on the one call, but reference it through another.

add Logs and check that you only start listening for fingerprint once and once only.

Solution 4

I experienced this issue too. In my case, it was due to the fact that I was accidentally starting two concurrent fingerprint authentications by calling FingerprintManager.authenticate() twice. The error disappeared once I removed the second call.

Solution 5

I also had this issue when using Samsung Galaxy S8 with android 8. To solve this problem I try to remove the key from keystore and then generate a new key then I use the new generated key to encrypt and decrypt data

try {
    keyStore.deleteEntry(KEY_ALIAS);
} catch (KeyStoreException e) {
    e.printStackTrace();
}

View more solutions

16,291

petrsyn

Updated on June 10, 2022

Comments

petrsyn about 2 years

My app uses Android 6.0 Fingerprint API to protect AES key in the Android KeyStore. The stored key can be used only when user is authenticated by fingerprint sensor because the KeyGenParameterSpec is initialized with setUserAuthenticationRequired(true).

When the user touches the sensor I get the initialized Cipher from the callback onAuthenticationSucceeded(Cipher) and I use it for decryption.

This works perfectly except on Samsung phones with Android 6. When I try to use the returned Cipher, Samsung phones sometimes throw android.security.KeyStoreException: Key user not authenticated. So even though the Cipher is returned by the onAuthenticationSucceeded(Cipher) the Android KeyStore thinks user was NOT authenticated by the fingerprint sensor.

It seems that the crash happens rather when the app was not used for longer time. When the app is wormed up all is working correctly usually.

As this error happens randomly and only on Samsung phones... It seems it is caused by some internal timing issue inside the Samsung implementation of Android 6.0 KeyStore and FingerPrint API.

Edit: This issue was also experienced in OnePlus and Acer phones.
- Eugen Martynov about 6 years
  
  Does it happen when the user adds new finger in device settings?
petrsyn almost 8 years

This error happens randomly on Samsung phones (and some others too) while on other phones like LG it never happens. It is not comfortable for users if they have to re-authenticate for every 5th or 10th access to the app to refresh the stored password.
NullPointer almost 8 years

Yeah, I see this on only Samsung devices too. But how often do people add a new fingerprint to their device? Samsung supports only 4 max. So unless somebody is playing around with their fingerprint settings a lot, it shouldn't be too bad. Do you see this error in any other case, other than adding a new fingerprint?
petrsyn almost 8 years

Unfortunately this bug is not related to adding new fingerprint. It happens randomly.
Matt Quigley almost 8 years

This answer is implying that one should set user authentication requirements because it is or is not a Samsung phone. This is bad on so many levels. setUserAuthenticationRequired is a question for your security plan, not for fixing bugs.
petrsyn almost 8 years

Actually supporting fingerprint unlock on Samsung phones with Android 5 was done without the setUserAuthenticationRequired because this option is available since Android 6. And it is bad user experience when the app crashes randomly. Fix from Samsung can't be expecting soon. If you have some idea how this can be fixed write it here. I'll gladly make it the accepted solution.
Matt Quigley almost 8 years

I don't know the answer myself, unfortunately, but I suspect it's not Samsung given that this happens on many device types. What I do know is that when encountering this error, my team found that they weren't accommodating for the fact that the devices require device authentication in some circumstances - such as if it's been 24 hours, you must enter PIN.
Matt Quigley almost 8 years

In fact - if that's the issue - then the question to answer may be, how does one get the user authentication when you only are dealing with fingerprints?
Matt Quigley almost 8 years

Last comment - I'd look over developer.android.com/reference/android/security/keystore/… carefully, and it has some links to follow with more info.
petrsyn almost 8 years

If your team solved this issue, can anyone of them publish solution here? I would appreciate it and will make it accepted solution. The error happens within few minutes and happens randomly. Nothing related to e.g. 24h interval.
petrsyn over 7 years

Please not that this happens occasionally and randomly. It doesn't happen on all Samsungs always.
Chris Merrick over 7 years

Its definitely a race condition between listening too many times. and yes, it only happens on certain samsung phones.
Smit Davda over 7 years

can you please explain how can we handle KeyPermanentlyInvalidatedException or provide a link where it has been handled. Thanks
NullPointer over 7 years

I've been treating KeyPermanentlyInvalidatedException similar to any other fatal errors, by falling back to using password for authentication. Once the user is authenticated, a new SecretKey is generated and the data is encrypted with a Cipher that uses the new SecretKey. I'm curious to see how others are handling it, to see if there are better ways to do this.
Matt Quigley over 7 years

Well funny story, it turns out that this was a problem with Samsung 6.0.1 devices, and that we ended up just doing setUserAuthenticationRequired(false). We even had this audited by an outside security firm and there is no actual security problem unless the phone is rooted.
Wirling over 7 years

Somebody filed a bug over here: code.google.com/p/android/issues/detail?id=227919#makechange‌s. The bug should be fixed in the latest Android N security patch, however somebody else mentioned that the bug still occurs. This also doesn't fix the problem for devices that don't receive the update, so it's probably best to handle te exception.
John Ernest Guadalupe about 7 years

@Wirling how would you handle the exception while still allowing things to proceed? I mean will I still get an initialized Cipher?
Wirling about 7 years

@JohnErnestGuadalupe I just do some default error handling and let the user try again. I think there is no other way to recover from this.
ochitos about 6 years

Yes, this. Since I couldn't figure out why it was set twice. I left it as is and deployed. Funny thing, Samsung S8 crashes, Pixel2 just acts all weird on this bug. It's important to make sure you're actually correctly canceling the authentication, in my case passing around CancellationSignal object I forgot to pass the object to another class, thus was left with deaf CancellationSignal
Montwell over 5 years

I agree with some kind of race condition. With my code I'm not actually listening twice, but I had a method where I was calling initSign() to see if the signature had been invalidated, then calling initSign() again later when attempting to complete the login process.