Android Vault Preference
Understanding the type of secure vault that is created on Android is difficult and often depends on numerous configuration options and device settings. This document attempts to make clear what results to expect based on these inputs to provide a proficient understanding when using Identity Vault.
Strong vs Weak Biometrics
In the Android operating system, Biometrics are classified into two categories based on their overall security strength. This rating is made up of three parts, Spoof Accept Rate (SAR), Imposter Accept Rate (IAR), and False Accept Rate (FAR). Biometric implementations are classified into either a "Strong" rating or a "Weak" rating based on their results in these categories and these different categories provide different abilities within the Android system. The primary difference for our use-case is that only a "Strong Biometric" can be used to integrate with the KeyStore on a device to generate cryptographically secure keys. For additional information on the topic of Strong vs Weak Biometrics, see the Android Documentation.
It's important to note that Biometrics are rated for a given device, meaning that the same "Biometric" may be classified as Strong for one device and Weak for another. A common example of this is Face Authentication: On a Samsung Galaxy S21, Face Authentication is classified as a "Weak Biometric"; On a Google Pixel 4, however, Face Authentication is classified as a "Strong Biometric". You should use
Device.getBiometricStrengthLevel()if you need to determine what strength of Biometric a user has configured on their device.
A Strong Vault is an implementation of Identity Vault that uses the strongest levels of security. This is achieved by using a Strong Biometric to generate a cryptographic key that is then used to encrypt all of the data stored inside of the Vault.
The system passcode can be used in place of a class 3 Biometric only on Android 11 or later.
A Weak Vault is an implementation of Identity Vault that securely stores data inside the secure hardware element on the device, however it does not encrypt the data as with the Strong Vault. This is typically due to the device not meeting the requirements to generate a cryptographic key using the available authentication methods. The data is protected by either a passcode, or Biometric authentication, but this authentication mechanism is only used to guard access to the data, not to encrypt/decrypt the data itself as with the Strong Vault.
One of the available options when configuring Identity Vault is the
AndroidBiometricCryptoPreference. This option gives you two choices, each one significantly shaping the behavior of if Identity Vault uses a Strong Vault or a Weak Vault.
StrongVault for the Android preference tells Identity Vault to do whatever it can to use the Strong Vault, falling back to the Weak Vault only if absolutely necessary.
SystemPasscode for the Android preference tells Identity Vault to do whatever it can to allow using the system passcode fallback, even if that means using a Weak Vault in the case where a Strong Biometric alone could be used to create a Strong Vault.
Android Vault Selection Table
The table below attempts to show the various scenarios that can occur based on the different Identity Vault configuration options and device specifications as well as the resulting vault types and prompts the user will experience.
|DeviceSecurityType||AndroidBiometricCryptoPreference||BiometricSecurityType||Android Version||Resultant Vault||Resultant Prompt|
|Biometrics||n/a||Strong||n/a||Strong Vault||Biometric Prompt|
|Biometrics||n/a||Weak||n/a||Weak Vault||Biometric Prompt|
|SystemPasscode||n/a||n/a||>= 11||Strong Vault||System Passcode Prompt|
|SystemPasscode||n/a||n/a||<= 10||Vault Error||Throws VaultError.AndroidSystemPasscodeUnavailable|
|Both||StrongVault||Strong||>= 11||Strong Vault||Biometric Prompt with System Passcode fallback|
|Both||StrongVault||Strong||<= 10||Strong Vault||Biometric Prompt|
|Both||StrongVault||Weak||>= 11||Strong Vault||System Passcode Prompt|
|Both||StrongVault||Weak||<= 10||Weak Vault||Biometric Prompt with System Passcode fallback|
|Both||System Passcode||Strong||>= 11||Strong Vault||Biometric Prompt with System Passcode fallback|
|Both||System Passcode||Strong||<= 10||Weak Vault||Biometric Prompt with System Passcode fallback|
|Both||System Passcode||Weak||n/a||Weak Vault||Biometric Prompt with System Passcode fallback|