Biometric authentication, such as fingerprint recognition, can be used alongside cryptographic keys stored in the Android KeyStore to protect sensitive parts of the application. However, when a key generated for this purpose has certain parameters set insecurely, an attacker with physical access can bypass the authentication check using application hooking tools such as Frida.

When generating a key for use with biometric authentication, ensure that the following parameters of KeyGenParameterSpec.Builder are set:

setUserAuthenticationRequired should be set to true; otherwise, the key can be used without user authentication.
setInvalidatedByBiometricEnrollment should be set to true (the default); otherwise, an attacker can use the key by enrolling additional biometrics on the device.
setUserAuthenticationValidityDurationSeconds, if used, should be set to -1; otherwise, non-biometric (less secure) credentials can be used to access the key. We recommend using setUserAuthenticationParameters instead to explicitly set both the timeout and the types of credentials that may be used.

The following example demonstrates a key that is configured with secure paramaters:

In each of the following cases, a parameter is set insecurely:

WithSecure: How Secure is your Android Keystore Authentication?.

Android Developers: KeyGenParameterSpec.Builder.