1 /* 2 * Copyright (C) 2018 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 package android.hardware.biometrics; 18 19 import static android.Manifest.permission.TEST_BIOMETRIC; 20 import static android.Manifest.permission.USE_BIOMETRIC; 21 import static android.Manifest.permission.USE_BIOMETRIC_INTERNAL; 22 import static android.Manifest.permission.WRITE_DEVICE_CONFIG; 23 24 import static com.android.internal.util.FrameworkStatsLog.AUTH_DEPRECATED_APIUSED__DEPRECATED_API__API_BIOMETRIC_MANAGER_CAN_AUTHENTICATE; 25 26 import android.annotation.IntDef; 27 import android.annotation.NonNull; 28 import android.annotation.Nullable; 29 import android.annotation.RequiresPermission; 30 import android.annotation.SystemApi; 31 import android.annotation.SystemService; 32 import android.annotation.TestApi; 33 import android.content.Context; 34 import android.os.IBinder; 35 import android.os.RemoteException; 36 import android.os.UserHandle; 37 import android.security.keystore.KeyProperties; 38 import android.util.Slog; 39 40 import com.android.internal.util.FrameworkStatsLog; 41 42 import java.lang.annotation.Retention; 43 import java.lang.annotation.RetentionPolicy; 44 import java.util.ArrayList; 45 import java.util.List; 46 47 /** 48 * A class that contains biometric utilities. For authentication, see {@link BiometricPrompt}. 49 */ 50 @SystemService(Context.BIOMETRIC_SERVICE) 51 public class BiometricManager { 52 53 private static final String TAG = "BiometricManager"; 54 55 /** 56 * No error detected. 57 */ 58 public static final int BIOMETRIC_SUCCESS = 59 BiometricConstants.BIOMETRIC_SUCCESS; 60 61 /** 62 * The hardware is unavailable. Try again later. 63 */ 64 public static final int BIOMETRIC_ERROR_HW_UNAVAILABLE = 65 BiometricConstants.BIOMETRIC_ERROR_HW_UNAVAILABLE; 66 67 /** 68 * The user does not have any biometrics enrolled. 69 */ 70 public static final int BIOMETRIC_ERROR_NONE_ENROLLED = 71 BiometricConstants.BIOMETRIC_ERROR_NO_BIOMETRICS; 72 73 /** 74 * There is no biometric hardware. 75 */ 76 public static final int BIOMETRIC_ERROR_NO_HARDWARE = 77 BiometricConstants.BIOMETRIC_ERROR_HW_NOT_PRESENT; 78 79 /** 80 * A security vulnerability has been discovered and the sensor is unavailable until a 81 * security update has addressed this issue. This error can be received if for example, 82 * authentication was requested with {@link Authenticators#BIOMETRIC_STRONG}, but the 83 * sensor's strength can currently only meet {@link Authenticators#BIOMETRIC_WEAK}. 84 */ 85 public static final int BIOMETRIC_ERROR_SECURITY_UPDATE_REQUIRED = 86 BiometricConstants.BIOMETRIC_ERROR_SECURITY_UPDATE_REQUIRED; 87 88 /** 89 * @hide 90 */ 91 @IntDef({BIOMETRIC_SUCCESS, 92 BIOMETRIC_ERROR_HW_UNAVAILABLE, 93 BIOMETRIC_ERROR_NONE_ENROLLED, 94 BIOMETRIC_ERROR_NO_HARDWARE, 95 BIOMETRIC_ERROR_SECURITY_UPDATE_REQUIRED}) 96 @Retention(RetentionPolicy.SOURCE) 97 public @interface BiometricError {} 98 99 /** 100 * Single sensor or unspecified multi-sensor behavior (prefer an explicit choice if the 101 * device is multi-sensor). 102 * @hide 103 */ 104 public static final int BIOMETRIC_MULTI_SENSOR_DEFAULT = 0; 105 106 /** 107 * Prefer the face sensor and fall back to fingerprint when needed. 108 * @hide 109 */ 110 public static final int BIOMETRIC_MULTI_SENSOR_FACE_THEN_FINGERPRINT = 1; 111 112 /** 113 * @hide 114 */ 115 @IntDef({BIOMETRIC_MULTI_SENSOR_DEFAULT, 116 BIOMETRIC_MULTI_SENSOR_FACE_THEN_FINGERPRINT}) 117 @Retention(RetentionPolicy.SOURCE) 118 public @interface BiometricMultiSensorMode {} 119 120 /** 121 * Types of authenticators, defined at a level of granularity supported by 122 * {@link BiometricManager} and {@link BiometricPrompt}. 123 * 124 * <p>Types may combined via bitwise OR into a single integer representing multiple 125 * authenticators (e.g. <code>DEVICE_CREDENTIAL | BIOMETRIC_WEAK</code>). 126 * 127 * @see #canAuthenticate(int) 128 * @see BiometricPrompt.Builder#setAllowedAuthenticators(int) 129 */ 130 public interface Authenticators { 131 /** 132 * An {@link IntDef} representing valid combinations of authenticator types. 133 * @hide 134 */ 135 @IntDef(flag = true, value = { 136 BIOMETRIC_STRONG, 137 BIOMETRIC_WEAK, 138 BIOMETRIC_CONVENIENCE, 139 DEVICE_CREDENTIAL, 140 }) 141 @interface Types {} 142 143 /** 144 * Empty set with no authenticators specified. 145 * 146 * <p>This constant is intended for use by {@link android.provider.DeviceConfig} to adjust 147 * the reported strength of a biometric sensor. It is not a valid parameter for any of the 148 * public {@link android.hardware.biometrics} APIs. 149 * 150 * @hide 151 */ 152 @SystemApi 153 @RequiresPermission(WRITE_DEVICE_CONFIG) 154 int EMPTY_SET = 0x0000; 155 156 /** 157 * Placeholder for the theoretical strongest biometric security tier. 158 * @hide 159 */ 160 int BIOMETRIC_MAX_STRENGTH = 0x0001; 161 162 /** 163 * Any biometric (e.g. fingerprint, iris, or face) on the device that meets or exceeds the 164 * requirements for <strong>Class 3</strong> (formerly <strong>Strong</strong>), as defined 165 * by the Android CDD. 166 * 167 * <p>This corresponds to {@link KeyProperties#AUTH_BIOMETRIC_STRONG} during key generation. 168 * 169 * @see android.security.keystore.KeyGenParameterSpec.Builder 170 */ 171 int BIOMETRIC_STRONG = 0x000F; 172 173 /** 174 * Any biometric (e.g. fingerprint, iris, or face) on the device that meets or exceeds the 175 * requirements for <strong>Class 2</strong> (formerly <strong>Weak</strong>), as defined by 176 * the Android CDD. 177 * 178 * <p>Note that this is a superset of {@link #BIOMETRIC_STRONG} and is defined such that 179 * {@code BIOMETRIC_STRONG | BIOMETRIC_WEAK == BIOMETRIC_WEAK}. 180 */ 181 int BIOMETRIC_WEAK = 0x00FF; 182 183 /** 184 * Any biometric (e.g. fingerprint, iris, or face) on the device that meets or exceeds the 185 * requirements for <strong>Class 1</strong> (formerly <strong>Convenience</strong>), as 186 * defined by the Android CDD. 187 * 188 * <p>This constant is intended for use by {@link android.provider.DeviceConfig} to adjust 189 * the reported strength of a biometric sensor. It is not a valid parameter for any of the 190 * public {@link android.hardware.biometrics} APIs. 191 * 192 * @hide 193 */ 194 @SystemApi 195 @RequiresPermission(WRITE_DEVICE_CONFIG) 196 int BIOMETRIC_CONVENIENCE = 0x0FFF; 197 198 /** 199 * Placeholder for the theoretical weakest biometric security tier. 200 * @hide 201 */ 202 int BIOMETRIC_MIN_STRENGTH = 0x7FFF; 203 204 /** 205 * The non-biometric credential used to secure the device (i.e., PIN, pattern, or password). 206 * This should typically only be used in combination with a biometric auth type, such as 207 * {@link #BIOMETRIC_WEAK}. 208 * 209 * <p>This corresponds to {@link KeyProperties#AUTH_DEVICE_CREDENTIAL} during key 210 * generation. 211 * 212 * @see android.security.keystore.KeyGenParameterSpec.Builder 213 */ 214 int DEVICE_CREDENTIAL = 1 << 15; 215 } 216 217 /** 218 * Provides localized strings for an application that uses {@link BiometricPrompt} to 219 * authenticate the user. 220 */ 221 public static class Strings { 222 @NonNull private final Context mContext; 223 @NonNull private final IAuthService mService; 224 @Authenticators.Types int mAuthenticators; 225 Strings(@onNull Context context, @NonNull IAuthService service, @Authenticators.Types int authenticators)226 private Strings(@NonNull Context context, @NonNull IAuthService service, 227 @Authenticators.Types int authenticators) { 228 mContext = context; 229 mService = service; 230 mAuthenticators = authenticators; 231 } 232 233 /** 234 * Provides a localized string that can be used as the label for a button that invokes 235 * {@link BiometricPrompt}. 236 * 237 * <p>When possible, this method should use the given authenticator requirements to more 238 * precisely specify the authentication type that will be used. For example, if 239 * <strong>Class 3</strong> biometric authentication is requested on a device with a 240 * <strong>Class 3</strong> fingerprint sensor and a <strong>Class 2</strong> face sensor, 241 * the returned string should indicate that fingerprint authentication will be used. 242 * 243 * <p>This method should also try to specify which authentication method(s) will be used in 244 * practice when multiple authenticators meet the given requirements. For example, if 245 * biometric authentication is requested on a device with both face and fingerprint sensors 246 * but the user has selected face as their preferred method, the returned string should 247 * indicate that face authentication will be used. 248 * 249 * <p>This method may return {@code null} if none of the requested authenticator types are 250 * available, but this should <em>not</em> be relied upon for checking the status of 251 * authenticators. Instead, use {@link #canAuthenticate(int)}. 252 * 253 * @return The label for a button that invokes {@link BiometricPrompt} for authentication. 254 */ 255 @RequiresPermission(USE_BIOMETRIC) 256 @Nullable getButtonLabel()257 public CharSequence getButtonLabel() { 258 final int userId = mContext.getUserId(); 259 final String opPackageName = mContext.getOpPackageName(); 260 try { 261 return mService.getButtonLabel(userId, opPackageName, mAuthenticators); 262 } catch (RemoteException e) { 263 throw e.rethrowFromSystemServer(); 264 } 265 } 266 267 /** 268 * Provides a localized string that can be shown while the user is authenticating with 269 * {@link BiometricPrompt}. 270 * 271 * <p>When possible, this method should use the given authenticator requirements to more 272 * precisely specify the authentication type that will be used. For example, if 273 * <strong>Class 3</strong> biometric authentication is requested on a device with a 274 * <strong>Class 3</strong> fingerprint sensor and a <strong>Class 2</strong> face sensor, 275 * the returned string should indicate that fingerprint authentication will be used. 276 * 277 * <p>This method should also try to specify which authentication method(s) will be used in 278 * practice when multiple authenticators meet the given requirements. For example, if 279 * biometric authentication is requested on a device with both face and fingerprint sensors 280 * but the user has selected face as their preferred method, the returned string should 281 * indicate that face authentication will be used. 282 * 283 * <p>This method may return {@code null} if none of the requested authenticator types are 284 * available, but this should <em>not</em> be relied upon for checking the status of 285 * authenticators. Instead, use {@link #canAuthenticate(int)}. 286 * 287 * @return The label for a button that invokes {@link BiometricPrompt} for authentication. 288 */ 289 @RequiresPermission(USE_BIOMETRIC) 290 @Nullable getPromptMessage()291 public CharSequence getPromptMessage() { 292 final int userId = mContext.getUserId(); 293 final String opPackageName = mContext.getOpPackageName(); 294 try { 295 return mService.getPromptMessage(userId, opPackageName, mAuthenticators); 296 } catch (RemoteException e) { 297 throw e.rethrowFromSystemServer(); 298 } 299 } 300 301 /** 302 * Provides a localized string that can be shown as the title for an app setting that 303 * enables authentication with {@link BiometricPrompt}. 304 * 305 * <p>When possible, this method should use the given authenticator requirements to more 306 * precisely specify the authentication type that will be used. For example, if 307 * <strong>Class 3</strong> biometric authentication is requested on a device with a 308 * <strong>Class 3</strong> fingerprint sensor and a <strong>Class 2</strong> face sensor, 309 * the returned string should indicate that fingerprint authentication will be used. 310 * 311 * <p>This method should <em>not</em> try to specify which authentication method(s) will be 312 * used in practice when multiple authenticators meet the given requirements. For example, 313 * if biometric authentication is requested on a device with both face and fingerprint 314 * sensors, the returned string should indicate that either face or fingerprint 315 * authentication may be used, regardless of whether the user has enrolled or selected 316 * either as their preferred method. 317 * 318 * <p>This method may return {@code null} if none of the requested authenticator types are 319 * supported by the system, but this should <em>not</em> be relied upon for checking the 320 * status of authenticators. Instead, use {@link #canAuthenticate(int)} or 321 * {@link android.content.pm.PackageManager#hasSystemFeature(String)}. 322 * 323 * @return The label for a button that invokes {@link BiometricPrompt} for authentication. 324 */ 325 @RequiresPermission(USE_BIOMETRIC) 326 @Nullable getSettingName()327 public CharSequence getSettingName() { 328 final int userId = mContext.getUserId(); 329 final String opPackageName = mContext.getOpPackageName(); 330 try { 331 return mService.getSettingName(userId, opPackageName, mAuthenticators); 332 } catch (RemoteException e) { 333 throw e.rethrowFromSystemServer(); 334 } 335 } 336 } 337 338 @NonNull private final Context mContext; 339 @NonNull private final IAuthService mService; 340 341 /** 342 * @hide 343 * @param context 344 * @param service 345 */ BiometricManager(@onNull Context context, @NonNull IAuthService service)346 public BiometricManager(@NonNull Context context, @NonNull IAuthService service) { 347 mContext = context; 348 mService = service; 349 } 350 351 /** 352 * @return A list of {@link SensorProperties} 353 * @hide 354 */ 355 @TestApi 356 @NonNull 357 @RequiresPermission(TEST_BIOMETRIC) getSensorProperties()358 public List<SensorProperties> getSensorProperties() { 359 try { 360 final List<SensorPropertiesInternal> internalProperties = 361 mService.getSensorProperties(mContext.getOpPackageName()); 362 final List<SensorProperties> properties = new ArrayList<>(); 363 for (SensorPropertiesInternal internalProp : internalProperties) { 364 properties.add(SensorProperties.from(internalProp)); 365 } 366 return properties; 367 } catch (RemoteException e) { 368 throw e.rethrowFromSystemServer(); 369 } 370 } 371 372 /** 373 * Retrieves a test session for BiometricManager/BiometricPrompt. 374 * @hide 375 */ 376 @TestApi 377 @NonNull 378 @RequiresPermission(TEST_BIOMETRIC) createTestSession(int sensorId)379 public BiometricTestSession createTestSession(int sensorId) { 380 try { 381 return new BiometricTestSession(mContext, sensorId, 382 (context, sensorId1, callback) -> mService 383 .createTestSession(sensorId1, callback, context.getOpPackageName())); 384 } catch (RemoteException e) { 385 throw e.rethrowFromSystemServer(); 386 } 387 } 388 389 /** 390 * Retrieves the package where BiometricPrompt's UI is implemented. 391 * @hide 392 */ 393 @TestApi 394 @NonNull 395 @RequiresPermission(TEST_BIOMETRIC) getUiPackage()396 public String getUiPackage() { 397 try { 398 return mService.getUiPackage(); 399 } catch (RemoteException e) { 400 throw e.rethrowFromSystemServer(); 401 } 402 } 403 404 /** 405 * Determine if biometrics can be used. In other words, determine if 406 * {@link BiometricPrompt} can be expected to be shown (hardware available, templates enrolled, 407 * user-enabled). This is the equivalent of {@link #canAuthenticate(int)} with 408 * {@link Authenticators#BIOMETRIC_WEAK} 409 * 410 * @return {@link #BIOMETRIC_ERROR_NONE_ENROLLED} if the user does not have any strong 411 * biometrics enrolled, or {@link #BIOMETRIC_ERROR_HW_UNAVAILABLE} if none are currently 412 * supported/enabled. Returns {@link #BIOMETRIC_SUCCESS} if a strong biometric can currently 413 * be used (enrolled and available). 414 * 415 * @deprecated See {@link #canAuthenticate(int)}. 416 */ 417 @Deprecated 418 @RequiresPermission(USE_BIOMETRIC) 419 @BiometricError canAuthenticate()420 public int canAuthenticate() { 421 @BiometricError final int result = canAuthenticate(mContext.getUserId(), 422 Authenticators.BIOMETRIC_WEAK); 423 424 FrameworkStatsLog.write(FrameworkStatsLog.AUTH_MANAGER_CAN_AUTHENTICATE_INVOKED, 425 false /* isAllowedAuthenticatorsSet */, Authenticators.EMPTY_SET, result); 426 FrameworkStatsLog.write(FrameworkStatsLog.AUTH_DEPRECATED_API_USED, 427 AUTH_DEPRECATED_APIUSED__DEPRECATED_API__API_BIOMETRIC_MANAGER_CAN_AUTHENTICATE, 428 mContext.getApplicationInfo().uid, 429 mContext.getApplicationInfo().targetSdkVersion); 430 431 return result; 432 } 433 434 /** 435 * Determine if any of the provided authenticators can be used. In other words, determine if 436 * {@link BiometricPrompt} can be expected to be shown (hardware available, templates enrolled, 437 * user-enabled). 438 * 439 * For biometric authenticators, determine if the device can currently authenticate with at 440 * least the requested strength. For example, invoking this API with 441 * {@link Authenticators#BIOMETRIC_WEAK} on a device that currently only has 442 * {@link Authenticators#BIOMETRIC_STRONG} enrolled will return {@link #BIOMETRIC_SUCCESS}. 443 * 444 * Invoking this API with {@link Authenticators#DEVICE_CREDENTIAL} can be used to determine 445 * if the user has a PIN/Pattern/Password set up. 446 * 447 * @param authenticators bit field consisting of constants defined in {@link Authenticators}. 448 * If multiple authenticators are queried, a logical OR will be applied. 449 * For example, if {@link Authenticators#DEVICE_CREDENTIAL} | 450 * {@link Authenticators#BIOMETRIC_STRONG} is queried and only 451 * {@link Authenticators#DEVICE_CREDENTIAL} is set up, this API will 452 * return {@link #BIOMETRIC_SUCCESS} 453 * 454 * @return {@link #BIOMETRIC_ERROR_NONE_ENROLLED} if the user does not have any of the 455 * requested authenticators enrolled, or {@link #BIOMETRIC_ERROR_HW_UNAVAILABLE} if none are 456 * currently supported/enabled. Returns {@link #BIOMETRIC_SUCCESS} if one of the requested 457 * authenticators can currently be used (enrolled and available). 458 */ 459 @RequiresPermission(USE_BIOMETRIC) 460 @BiometricError canAuthenticate(@uthenticators.Types int authenticators)461 public int canAuthenticate(@Authenticators.Types int authenticators) { 462 @BiometricError final int result = canAuthenticate(mContext.getUserId(), authenticators); 463 464 FrameworkStatsLog.write(FrameworkStatsLog.AUTH_MANAGER_CAN_AUTHENTICATE_INVOKED, 465 true /* isAllowedAuthenticatorsSet */, authenticators, result); 466 467 return result; 468 } 469 470 /** 471 * @hide 472 */ 473 @RequiresPermission(USE_BIOMETRIC_INTERNAL) 474 @BiometricError canAuthenticate(int userId, @Authenticators.Types int authenticators)475 public int canAuthenticate(int userId, @Authenticators.Types int authenticators) { 476 if (mService != null) { 477 try { 478 final String opPackageName = mContext.getOpPackageName(); 479 return mService.canAuthenticate(opPackageName, userId, authenticators); 480 } catch (RemoteException e) { 481 throw e.rethrowFromSystemServer(); 482 } 483 } else { 484 Slog.w(TAG, "canAuthenticate(): Service not connected"); 485 return BIOMETRIC_ERROR_HW_UNAVAILABLE; 486 } 487 } 488 489 /** 490 * Produces an instance of the {@link Strings} class, which provides localized strings for an 491 * application, given a set of allowed authenticator types. 492 * 493 * @param authenticators A bit field representing the types of {@link Authenticators} that may 494 * be used for authentication. 495 * @return A {@link Strings} collection for the given allowed authenticator types. 496 */ 497 @RequiresPermission(USE_BIOMETRIC) 498 @NonNull getStrings(@uthenticators.Types int authenticators)499 public Strings getStrings(@Authenticators.Types int authenticators) { 500 return new Strings(mContext, mService, authenticators); 501 } 502 503 /** 504 * @hide 505 * @param userId 506 * @return 507 */ 508 @RequiresPermission(USE_BIOMETRIC_INTERNAL) hasEnrolledBiometrics(int userId)509 public boolean hasEnrolledBiometrics(int userId) { 510 if (mService != null) { 511 try { 512 return mService.hasEnrolledBiometrics(userId, mContext.getOpPackageName()); 513 } catch (RemoteException e) { 514 Slog.w(TAG, "Remote exception in hasEnrolledBiometrics(): " + e); 515 return false; 516 } 517 } else { 518 return false; 519 } 520 } 521 522 /** 523 * Listens for changes to biometric eligibility on keyguard from user settings. 524 * @param callback 525 * @hide 526 */ 527 @RequiresPermission(USE_BIOMETRIC_INTERNAL) registerEnabledOnKeyguardCallback(IBiometricEnabledOnKeyguardCallback callback)528 public void registerEnabledOnKeyguardCallback(IBiometricEnabledOnKeyguardCallback callback) { 529 if (mService != null) { 530 try { 531 mService.registerEnabledOnKeyguardCallback(callback); 532 } catch (RemoteException e) { 533 throw e.rethrowFromSystemServer(); 534 } 535 } else { 536 Slog.w(TAG, "registerEnabledOnKeyguardCallback(): Service not connected"); 537 } 538 } 539 540 /** 541 * Requests all {@link Authenticators.Types#BIOMETRIC_STRONG} sensors to have their 542 * authenticatorId invalidated for the specified user. This happens when enrollments have been 543 * added on devices with multiple biometric sensors. 544 * 545 * @param userId userId that the authenticatorId should be invalidated for 546 * @param fromSensorId sensor that triggered the invalidation request 547 * @hide 548 */ 549 @RequiresPermission(USE_BIOMETRIC_INTERNAL) invalidateAuthenticatorIds(int userId, int fromSensorId, @NonNull IInvalidationCallback callback)550 public void invalidateAuthenticatorIds(int userId, int fromSensorId, 551 @NonNull IInvalidationCallback callback) { 552 if (mService != null) { 553 try { 554 mService.invalidateAuthenticatorIds(userId, fromSensorId, callback); 555 } catch (RemoteException e) { 556 throw e.rethrowFromSystemServer(); 557 } 558 } 559 } 560 561 /** 562 * Get a list of AuthenticatorIDs for biometric authenticators which have 1) enrolled templates, 563 * and 2) meet the requirements for integrating with Keystore. The AuthenticatorIDs are known 564 * in Keystore land as SIDs, and are used during key generation. 565 * @hide 566 */ getAuthenticatorIds()567 public long[] getAuthenticatorIds() { 568 return getAuthenticatorIds(UserHandle.myUserId()); 569 } 570 571 /** 572 * Get a list of AuthenticatorIDs for biometric authenticators which have 1) enrolled templates, 573 * and 2) meet the requirements for integrating with Keystore. The AuthenticatorIDs are known 574 * in Keystore land as SIDs, and are used during key generation. 575 * 576 * @param userId Android user ID for user to look up. 577 * 578 * @hide 579 */ getAuthenticatorIds(int userId)580 public long[] getAuthenticatorIds(int userId) { 581 if (mService != null) { 582 try { 583 return mService.getAuthenticatorIds(userId); 584 } catch (RemoteException e) { 585 throw e.rethrowFromSystemServer(); 586 } 587 } else { 588 Slog.w(TAG, "getAuthenticatorIds(): Service not connected"); 589 return new long[0]; 590 } 591 } 592 593 /** 594 * Requests all other biometric sensors to resetLockout. Note that this is a "time bound" 595 * See the {@link android.hardware.biometrics.fingerprint.ISession#resetLockout(int, 596 * HardwareAuthToken)} and {@link android.hardware.biometrics.face.ISession#resetLockout(int, 597 * HardwareAuthToken)} documentation for complete details. 598 * 599 * @param token A binder from the caller, for the service to linkToDeath 600 * @param opPackageName Caller's package name 601 * @param fromSensorId The originating sensor that just authenticated. Note that this MUST 602 * be a sensor that meets {@link Authenticators#BIOMETRIC_STRONG} strength. 603 * The strength will also be enforced on the BiometricService side. 604 * @param userId The user that authentication succeeded for, and also the user that resetLockout 605 * should be applied to. 606 * @param hardwareAuthToken A valid HAT generated upon successful biometric authentication. Note 607 * that it is not necessary for the HAT to contain a challenge. 608 * @hide 609 */ 610 @RequiresPermission(USE_BIOMETRIC_INTERNAL) resetLockoutTimeBound(IBinder token, String opPackageName, int fromSensorId, int userId, byte[] hardwareAuthToken)611 public void resetLockoutTimeBound(IBinder token, String opPackageName, int fromSensorId, 612 int userId, byte[] hardwareAuthToken) { 613 if (mService != null) { 614 try { 615 mService.resetLockoutTimeBound(token, opPackageName, fromSensorId, userId, 616 hardwareAuthToken); 617 } catch (RemoteException e) { 618 throw e.rethrowFromSystemServer(); 619 } 620 } 621 } 622 } 623 624