termux-fingerprint without biometric hardware

[jace]

Feature description

I have an Onyx Boox e-reader that I've been using Termux on awhile. I've recently setup Tergent on my main phone and on this device, and I've found it works on both of them, but with one problem: termux-fingerprint doesn't work on the e-reader because it has no biometric hardware.

{
  "errors": [
    "ERROR_NO_HARDWARE",
    "ERROR_NO_ENROLLED_FINGERPRINTS"
  ],
  "failed_attempts": 0,
  "auth_result": "AUTH_RESULT_UNKNOWN"
}

However, the SSH key itself works if I lock and unlock the device using the physical button, and termux-keystore list shows that the key is inside secure hardware.

Physically locking the device turns off Wi-Fi and Bluetooth, and unlocking then requires several seconds for a connection to become available. It'll help if I can directly invoke the non-biometric device credentials unlock screen, but there is no termux-unlock command or API.

Reference implementation

I'm not an Android developer, but the API reference suggests this is possible by calling setAllowedAuthenticators in the prompt builder, specifically just before .authenticate() here:

https://github.com/termux/termux-api/blob/v0.52.0/app/src/main/java/com/termux/api/apis/FingerprintAPI.java#L192-L203

            BiometricPrompt.PromptInfo.Builder builder = new BiometricPrompt.PromptInfo.Builder();
            builder.setTitle(intent.hasExtra("title") ? intent.getStringExtra("title") : "Authenticate");
            builder.setNegativeButtonText(intent.hasExtra("cancel") ? intent.getStringExtra("cancel") : "Cancel");
            if (intent.hasExtra("description")) {
                builder.setDescription(intent.getStringExtra("description"));
            }
            if (intent.hasExtra("subtitle")) {
                builder.setSubtitle(intent.getStringExtra("subtitle"));
            }

            // Allow fallback to device credentials
            builder.setAllowedAuthenticators(
                Authenticators.BIOMETRIC_WEAK | Authenticators.BIOMETRIC_STRONG | Authenticators.DEVICE_CREDENTIAL
            )

            // listen to fingerprint sensor
            biometricPrompt.authenticate(builder.build());

This call is from API level 30 (Android 11). The equivalent in API level 29 is setDeviceCredentialAllowed(boolean). I'm not aware what API level Termux-API targets, or if this means I'm out of luck here.

[jace]

I've found a workaround using the CONFIRM_DEVICE_CREDENTIAL action:

# In Termux, unlock device credentials
if command -v termux-fingerprint >/dev/null; then
  if termux-fingerprint | grep ERROR_NO_HARDWARE >/dev/null; then
    # If there is no biometric hardware, use device unlock
    am start -a android.app.action.CONFIRM_DEVICE_CREDENTIAL > /dev/null
    read -rsn 1 -p "Press any key to continue"
    echo
  fi
fi

[agnostic-apollo]

am start -a android.app.action.CONFIRM_DEVICE_CREDENTIAL won't give you any result about whether entered valid credentials or even dismissed prompt. Its supposed to be started with startActivityForResult and result checked.

https://cs.android.com/android/platform/superproject/+/android-latest-release:frameworks/base/core/java/android/app/KeyguardManager.java;l=312;drc=124a5084103af7795f4c6876537a7914b86f1256

There are ways to add support for just pin, etc. Will require changes to fingerprint api or even a new api.

[jace]

I found it from reading the KeyguardManager source. 😄 There doesn't seem to be any way to wait for a result, or even to wait for the user to return (hence "press any key"), but this kludge is okay for now because if authentication fails, the SSH key remains locked and I just have to retry. Chaining it as a script works: termux-unlock; git pull.

It is annoying to type, but much less annoying than hitting the e-reader's power button twice, waiting for the slow refresh, waiting for WiFi to reconnect, and then re-running the last command.

It'll be nice to have this integrated into termux-fingerprint (maybe --allow-device-credential), or if that's affected by API level constraints, into a separate termux-unlock command.