Biometric authentication such as fingerprint recognition can be used alongside cryptographic keys stored in the Android KeyStore to protect sensitive parts of the application. However, when a key generated for this purpose has certain parameters set insecurely, it can allow an attacker with physical access to bypass the authentication check, using application hooking tools such as Frida.

When generating a key for use with biometric authentication, ensure that the following parameters of KeyGenParameterSpec.Builder are set:

setUserAuthenticationRequired should be set to true; otherwise the key can be used without user authentication.
setInvalidatedByBiometricEnrollment should be set to true (the default); otherwise an attacker can use the key by enrolling additional biometrics on the device.
setUserAuthenticationValidityDurationSeconds, if used, should be set to -1; otherwise non-biometric (less secure) credentials can be used to access the key. setUserAuthenticationParameters is instead recommended to explicitly set both the timeout and the types of credentials that may be used.

The following example demonstrates a key that is configured with secure paramaters:

WithSecure: How Secure is your Android Keystore Authentication?

Android Developers: KeyGenParameterSpec.Builder