Google updates Android 6.0 requirements for fingerprint sensors

Google has updated its Compatibility Definition document for Android 6.0, which details a list of requirements smartphone and tablet manufacturers will need to follow in order to properly run its new Android 6.0 operating system, or Android Marshmallow, according to a report by Venture Beat.

In addition to manufacturers enabling full-disk encryption by default and not being able to modify Doze mode, Google’s Compatibility Definition details the exact requirements for implementing fingerprint sensors into a mobile device.

As previously reported, the new Nexus smartphones feature fingerprint sensors, which means that an increasing number of other Android devices are expected to follow suit.

Although several flagship devices already offer support fingerprint authentication, OEMs are expected to implement the feature, which can be used to unlock the device, authorize transactions in the Google Play store, sign into third-party apps, and check out with Android Pay.

Since Android 6.0 is currently unable to handle the fingerprint authentication capability, Google has detailed a lengthy list of requirements for implementing fingerprint sensors in Android devices.

Therefore, if a device implementation includes a fingerprint sensor and has a corresponding API for third-party developers, it must declare support for the android.hardware.fingerprint feature, fully implement the corresponding API as described in the Android SDK documentation, have a false acceptance rate no higher than 0.002%, rate limit attempts for at least 30 seconds after 5 false trials for fingerprint verification, and have a hardware-backed keystore implementation.

Additionally, the device must perform the fingerprint matching in a Trusted Execution Environment (TEE) or on a chip with a secure channel to the TEE, have all identifiable fingerprint data encrypted and cryptographically authenticated such that they cannot be acquired, read or altered outside of the TEE, prevent adding a fingerprint without first establishing a chain of trust by having the user confirm existing or add a new device credential (PIN/pattern/password) using the TEE, not enable third-party applications to distinguish between individual fingerprints, honor the DevicePolicyManager.KEYGUARD_DISABLE_FINGERPRINT flag, and when upgraded from a version earlier than Android 6.0, have the fingerprint data securely migrated to meet the above requirements or removed.

The document also notes two requirements that are strongly recommended, but not completely mandatory, including the device having a false rejection rate not higher than 10%, and a latency from when the fingerprint sensor is touched until the screen is unlocked below 1 second, for 1 enrolled finger; and using the Android fingerprint icon provided in the Android Open Source Project.

Device manufacturers will have to adhere to these requirements to ensure that their fingerprint sensors work with Marshmallow, along with any apps that use its APIs.

It is still unclear how these requirements will affect smartphones and tablets that upgrade to Android 6.0, however, users will likely have to re-scan their fingerprint in order for it to work.

Review the complete 74-page Compatibility Definition document.

Article Topics

Android  |  API  |  biometric authentication  |  biometrics  |  fingerprint sensors  |  Google  |  smartphones  |  standards