Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature request : Invalidate password on enrollment #72

Open
poulainpi opened this issue Oct 7, 2022 · 1 comment
Open

Feature request : Invalidate password on enrollment #72

poulainpi opened this issue Oct 7, 2022 · 1 comment

Comments

@poulainpi
Copy link

This capacitor plugin is missing an important security option which should allow to invalidate password when a new biometric is added or removed. This option is available in https://github.com/niklasmerz/cordova-plugin-fingerprint-aio#optional-parameters-2 with the name invalidateOnEnrollment.
@brian-weasner
Copy link
Contributor

This is actually an issue because on Android the encryption key (used to encrypt/decrypt) username and password can be retrived without being biometrically authenticated, this means that you don't technically need to call verifyIdentity before getting/setting/deleting credentials. (although I highly recommend it)

See my ticket for more information: #80

I'll be submitting a pr soon to address this (as a breaking change) to set the credentials to require auth and be invalided on biometric enrollment/removal.

@brian-weasner brian-weasner mentioned this issue Dec 2, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@poulainpi @brian-weasner