7.3.10.1. Fingerprint Sensors
If device implementations include a secure lock screen, they:
SHOULD include a fingerprint sensor.
If device implementations include a fingerprint sensor and make the sensor available to third-party
apps, they:
[C-1-1] MUST declare support for the
android.hardware.fingerprint
feature.
[C-1-2] MUST fully implement the
corresponding API
as described in the Android SDK
documentation.
[C-1-3] MUST have a false acceptance rate not higher than 0.002%.
[SR] Are STRONGLY RECOMMENDED to have a spoof and imposter acceptance rate not
higher than 7%.
[C-1-4] MUST disclose that this mode may be less secure than a strong PIN, pattern, or
password and clearly enumerate the risks of enabling it, if the spoof and imposter
acceptance rates are higher than 7%.
[C-1-5] MUST rate limit attempts for at least 30 seconds after five false trials for
fingerprint verification.
[C-1-6] MUST have a hardware-backed keystore implementation, and perform the
fingerprint matching in a Trusted Execution Environment (TEE) or on a chip with a secure
channel to the TEE.
[C-1-7] MUST have all identifiable fingerprint data encrypted and cryptographically
authenticated such that they cannot be acquired, read or altered outside of the Trusted
Execution Environment (TEE), or a chip with a secure channel to the TEE as documented
in the
implementation guidelines
on the Android Open Source Project site.
[C-1-8] MUST prevent adding a fingerprint without first establishing a chain of trust by
having the user confirm existing or add a new device credential (PIN/pattern/password)
that's secured by TEE; the Android Open Source Project implementation provides the
mechanism in the framework to do so.
[C-1-9] MUST NOT enable 3rd-party applications to distinguish between individual
fingerprints.
[C-1-10] MUST honor the DevicePolicyManager.KEYGUARD_DISABLE_FINGERPRINT flag.
[C-1-11] MUST, when upgraded from a version earlier than Android 6.0, have the
fingerprint data securely migrated to meet the above requirements or removed.
[C-1-12] MUST completely remove all identifiable fingerprint data for a user when the
user's account is removed (including via a factory reset).
[C-1-13] MUST not allow unencrypted access to identifiable fingerprint data or any data
derived from it (such as embeddings) to the Application Processor.
[SR] Are STRONGLY RECOMMENDED to have a false rejection rate of less than 10%, as
measured on the device.
[SR] Are STRONGLY RECOMMENDED to have a latency below 1 second, measured from
when the fingerprint sensor is touched until the screen is unlocked, for one enrolled
finger.
SHOULD use the Android Fingerprint icon provided in the Android Open Source Project.
7.3.10.2. Other Biometric Sensors
If device implementations include one or more non-fingerprint-based-biometric sensors and make
them available to third-party apps they:
Page 91 of 132
