Skip to main content
Version: 5.0

Android Vault Preference

Understanding the type of secure vault that is created on Android is difficult and often depends on numerous configuration options and device settings. This document attempts to make clear what results to expect based on these inputs to provide a proficient understanding when using Identity Vault.

Key Terms#

Strong vs Weak Biometrics#

In the Android operating system, Biometrics are classified into two categories based on their overall security strength. This rating is made up of three parts, Spoof Accept Rate (SAR), Imposter Accept Rate (IAR), and False Accept Rate (FAR). Biometric implementations are classified into either a "Strong" rating or a "Weak" rating based on their results in these categories and these different categories provide different abilities within the Android system. The primary difference for our use-case is that only a "Strong Biometric" can be used to integrate with the KeyStore on a device to generate cryptographically secure keys. For additional information on the topic of Strong vs Weak Biometrics, see the Android Documentation.

It's important to note that Biometrics are rated for a given device, meaning that the same "Biometric" may be classified as Strong for one device and Weak for another. A common example of this is Face Authentication: On a Samsung Galaxy S21, Face Authentication is classified as a "Weak Biometric"; On a Google Pixel 4, however, Face Authentication is classified as a "Strong Biometric". You should use Device.getBiometricStrengthLevel() if you need to determine what strength of Biometric a user has configured on their device.

Strong Vault#

A Strong Vault is an implementation of Identity Vault that uses the strongest levels of security. This is achieved by using a Strong Biometric to generate a cryptographic key that is then used to encrypt all of the data stored inside of the Vault.

The system passcode can be used in place of a class 3 Biometric only on Android 11 or later.

Weak Vault#

A Weak Vault is an implementation of Identity Vault that securely stores data inside the secure hardware element on the device, however it does not encrypt the data as with the Strong Vault. This is typically due to the device not meeting the requirements to generate a cryptographic key using the available authentication methods. The data is protected by either a passcode, or Biometric authentication, but this authentication mechanism is only used to guard access to the data, not to encrypt/decrypt the data itself as with the Strong Vault.

AndroidBiometricCryptoPreference#

One of the available options when configuring Identity Vault is the AndroidBiometricCryptoPreference. This option gives you two choices, each one significantly shaping the behavior of if Identity Vault uses a Strong Vault or a Weak Vault.

StrongVault (Default)#

Choosing StrongVault for the Android preference tells Identity Vault to do whatever it can to use the Strong Vault, falling back to the Weak Vault only if absolutely necessary.

SystemPasscode#

Choosing SystemPasscode for the Android preference tells Identity Vault to do whatever it can to allow using the system passcode fallback, even if that means using a Weak Vault in the case where a Strong Biometric alone could be used to create a Strong Vault.

Android Vault Selection Table#

The table below attempts to show the various scenarios that can occur based on the different Identity Vault configuration options and device specifications as well as the resulting vault types and prompts the user will experience.

DeviceSecurityTypeAndroidBiometricCryptoPreferenceBiometricSecurityTypeAndroid VersionResultant VaultResultant Prompt
Biometricsn/aStrongn/aStrong VaultBiometric Prompt
Biometricsn/aWeakn/aWeak VaultBiometric Prompt
SystemPasscoden/an/a>= 11Strong VaultSystem Passcode Prompt
SystemPasscoden/an/a<= 10Vault ErrorThrows VaultError.AndroidSystemPasscodeUnavailable
BothStrongVaultStrong>= 11Strong VaultBiometric Prompt with System Passcode fallback
BothStrongVaultStrong<= 10Strong VaultBiometric Prompt
BothStrongVaultWeak>= 11Strong VaultSystem Passcode Prompt
BothStrongVaultWeak<= 10Weak VaultBiometric Prompt with System Passcode fallback
BothSystem PasscodeStrong>= 11Strong VaultBiometric Prompt with System Passcode fallback
BothSystem PasscodeStrong<= 10Weak VaultBiometric Prompt with System Passcode fallback
BothSystem PasscodeWeakn/aWeak VaultBiometric Prompt with System Passcode fallback