Android Marshmallow has introduced a newly integrated API to better support user authentication and user verification. We can now use the new Fingerprint API for devices with a fingerprint scanner in order to authenticate the user. We can also set a specific time for user lock screen verification to be considered valid in the app login. In this chapter, we will try and go over these additions and explain how to use them:

  • The Fingerprint authentication API
  • Credentials’ Grace Period
  • Cleartext network traffic

The Fingerprint authentication API

Android Marshmallow now allows us, the developers, to authenticate users with their fingerprint scans when using such authentication scanners on supported devices.

The Fingerprint API was added to Android Marshmallow via a whole new package:


The package contains four classes:

  • FingerprintManager
  • FingerprintManager.AuthenticationCallback
  • FingerprintManager.AuthenticationResult
  • FingerprintManager.CryptoObject

Each class has a specific role in our fingerprint authentication process.

How do we use fingerprint authentication?

The preceding four classes of the android.hardware.fingerprint package can be explained in the following manner:

  • FingerprintManager: Manage access to fingerprint hardware
  • FingerprintManager.AuthenticationCallback: Callback used in the auth process
  • FingerprintManager.AuthenticationResult: Result container for auth process
  • FingerprintManager.CryptoObject: SpecificCrypto object to use with FingerprintManager

Say, we want to authenticate users via their fingerprints. A device with a fingerprint sensor must be in use; otherwise, we can’t use this API. We need to get an instance of FingerprintManager, and then we call the authenticate() method. We must implement a specific user interface for the fingerprint authentication flow, and the standard Android fingerprint icon (c_fp_40px.png) is included in the source. We need to add the appropriate permission to our app’s manifest:

<uses-permission android:name="android.permission.USE_FINGERPRINT" />

Right now, we don’t have a device with a fingerprint sensor, so we will need to test our code from an emulator. (Nexus 5X and Nexus 6P are still with limited supply)

Setting up for testing

Android SDK Tools Revision 24.3 (at least) must be installed. Now, we navigate to Settings | Security | Fingerprint and add one fingerprint.

Setting up for testing
Follow the instructions manually; we are asked to select the PIN and leading us to find the following screenshot:

Setting up for testing
Finally, we must use a special adb command, tricking the sensor into capturing a mock fingerprint:

adb -e emu finger touch <finger_id>

The resultant screen should look like the following screenshot:

Setting up for testing
We used finger_id =1 for a single finger. The same command also emulates fingerprint touch events on the lock screen or in our app.

Setting up for testing
If you need help to set up an emulator, read:

Now, we can launch our application and see that we can use the fingerprint as our authentication method when the user purchases an item.