Credentials’ Grace Period

Ever got the itch when you wanted to use an app after device unlock only to find that you need to log in again or enter the app password again? Well, now we can query the device and check whether it was unlocked recently and how recent was it. This will give our users a chance to avoid all the fuss that comes with using our app. Note that this must be used in conjunction with a public or secret key implementation for user authentication. If you want to read more about the Android Keystore System, head to https://developer.android.com/training/articles/keystore.html.

We use KeyguardManager and check whether our lock screen is secured via the isKeyguardSecure() method. Once we know that it’s secured, we can try and use the feature; otherwise, it’d imply that the user didn’t set a secure lock screen and this feature is a no-op.

We generate a symmetric key with KeyGenerator in Android KeyStore, which can only be used after the user has authenticated with device credentials within the last x seconds. Setting this value (x) is done via the setUserAuthenticationValidityDurationSeconds() method, when we set up KeyGenerator or KeyPairGenerator.

Credentials' Grace Period
You can check out the sample code for more information. The activity is called CredGraceActivity.

Note

Try and display the reauthentication dialog as less as possible. When using a cryptographic object, you should try and verify its expiry, and only if it passes, use createConfirmDeviceCredentialIntent() to reauthenticate the user.