Easily Authenticate Users with Android’s Confirm Credential

Avatar

James

There are a number of ways to authenticate users on mobile devices, from traditional passwords and pins to new biometric fingerprint sensors. Most users are already using one of the most secure mobile authentication implementations, the device lock screen. With Android Marshmallow and the new Confirm Credential API, it’s now possible to utilize the lock screen to detect when the user last unlocked their device and even re-prompt them to confirm their identity without having to remember yet another app-specific password. All authentication is securely stored in a crypto key from the Android KeyStore with a customizable timeout period that’s carried across multiple applications.

confirm-980x576

Getting Started

It’s important to note that your user must have his or her lock screen already secured in Android’s settings before it’s possible to use the Confirm Credential API. Most Android users will have already done this, but it’s possible to check before even attempting by getting access to the KeyguardManager and prompting users to secure their lock screen:

Creating Crypto Key

Once it’s verified that the user has set up a secure lock screen, it’s possible to attempt to create a crypto key with a specified timeout policy that’s used to see when the user last logged in. This timeout is set for a number of seconds, and developers are free to set it to any amount necessary for the app.

Testing Last Unlock

When your code needs to authenticate the user, it simply needs to attempt to encrypt any data with the key that was created earlier. If the data can be encrypted with the key, then the user has logged in within our timeout period. If not, an UserNotAuthenticatedException is thrown and it’s time to confirm credentials. Here’s how to test encrypting a bit of data.

Showing the Authentication Screen

If the user is already authenticated, the app can move on to a checkout screen or log the user in. Otherwise, it’s time to prompt the user to confirm their credentials by simply creating a new Confirm Device Credential Intent from the KeyguardManager.

Android will automatically launch the lock screen that the user has specified when the Confirm Credential Intent is activated, whether it be a pin, password, or any other type of security such as a fingerprint. Personally I use a pin on my devices, so here’s what it looks like on my Nexus 9 when the intent is launched:

Pin Screen

At this point the user can do one of two things:

  • Enter the correct credentials.
  • Cancel the unlock screen.

The Activity will get a callback with a return code when one of these occur, which can be checked if the correct credentials were entered.

There you have it! No more passwords to remember, completely customized timeouts, and a workflow that’s familiar to your users.

Learn More

To learn more about getting started with Android Marshmallow, be sure to read through the getting started documentation. You can also find this sample and other Android Marshmallow samples on our Sample Gallery.

Avatar
James Montemagno

Principal Program Manager, Mobile Developers Tools

Follow James   

No Comments.