An alphanumeric password
A swipe pattern on a grid of exactly 3x3 dots
Note that the above authentication methods are referred as the recommended primary authentication
methods in this document.
If device implementations add or modify the recommended primary authentication methods and use
a new authentication method as a secure way to lock the screen, the new authentication method:
[C-2-1] MUST be the user authentication method as described in
Requiring User
Authentication For Key Use
.
[C-2-2] MUST unlock all keys for a third-party developer app to use when the user unlocks
the secure lock screen. For example, all keys MUST be available for a third-party
developer app through relevant APIs, such as
createConfirmDeviceCredentialIntent
and
setUserAuthenticationRequired
.
If device implementations add or modify the authentication methods to unlock the lock screen if
based on a known secret and use a new authentication method to be treated as a secure way to lock
the screen:
[C-3-1] The entropy of the shortest allowed length of inputs MUST be greater than 10 bits.
[C-3-2] The maximum entropy of all possible inputs MUST be greater than 18 bits.
[C-3-3] The new authentication method MUST NOT replace any of the recommended
primary authentication methods (i.e. PIN, pattern, password) implemented and provided in
AOSP.
[C-3-4] The new authentication method MUST be disabled when the Device Policy
Controller (DPC) application has set the password quality policy via the
DevicePolicyManager.setPasswordQuality()
method with a more restrictive quality constant than
PASSWORD_QUALITY_SOMETHING
.
If device implementations add or modify the recommended primary authentication methods to
unlock the lock screen and use a new authentication method that is based on biometrics to be
treated as a secure way to lock the screen, the new method:
[C-4-1] MUST meet all requirements described in
section 7.3.10.2
.
[C-4-2] MUST have a fall-back mechanism to use one of the recommended primary
authentication methods which is based on a known secret.
[C-4-3] MUST be disabled and only allow the recommended primary authentication to
unlock the screen when the Device Policy Controller (DPC) application has set the
keguard feature policy by calling the method
DevicePolicyManager.setKeyguardDisabledFeatures()
, with any of the associated biometric flags (i.e.
KEYGUARD_DISABLE_BIOMETRICS
,
KEYGUARD_DISABLE_FINGERPRINT
,
KEYGUARD_DISABLE_FACE
, or
KEYGUARD_DISABLE_IRIS
).
[C-4-4] MUST challenge the user for the recommended primary authentication (e.g. PIN,
pattern, password) at least once every 72 hours or less.
[C-4-5] MUST have a false acceptance rate that is equal or stronger than what is required
for a fingerprint sensor as described in section
section 7.3.10
, or otherwise MUST be
disabled and only allow the recommended primary authentication to unlock the screen
when the Device Policy Controller (DPC) application has set the password quality policy
via the
DevicePolicyManager.setPasswordQuality()
method with a more restrictive quality
constant than
PASSWORD_QUALITY_BIOMETRIC_WEAK
.
[C-SR] Are STRONGLY RECOMMENDED to have spoof and imposter acceptance rates that
are equal to or stronger than what is required for a fingerprint sensor as described in
section 7.3.10
.
Page 125 of 132
