Device unlock

Device unlock cardholder verification

When using the Issuer Pay library CdCvmType.DEVICE_UNLOCK cardholder verification, library will use Android Keystore system to verify authentication for transaction.

Which means that before making MeaTokenPlatform.register() request to WSP the Issuer Pay library will check, if secure lock screen is enabled and set-up by user. If everything is ready the Issuer Pay library will generate key and import it in Android KeyStore.

Android KeyStore key is only authorized to be used if the user has been authenticated using a subset of their secure lock screen credentials (pattern/PIN/password, fingerprint).

Android secure lock screen key invalidation

Android KeyStore keys become permanently invalidated once the secure lock screen is disabled (reconfigured to None, Swipe or other mode which does not authenticate the user) or forcibly reset (e.g. by a Device Administrator).

When key is permanently invalidated, the Issuer Pay library will block all transactions until new valid Android KeyStore key is generated.

New key will be generated when wallet app invokes MeaTokenPlatform.authenticateWithDeviceUnlock() method.

Automatic unlocking

In parallel of secure lock screen user can also set his device to unlock automatically. These features depend on Android version and device manufacturer. Android Keystore will not authorized key to be used, when device is unlocked using automatic unlocking. In this case user will need to authenticate via wallet app or unlock device again using secure unlock.

  • Android Smart Lock
    • On-body detection
    • Trusted places
    • Trusted device, connected to a device like a Bluetooth watch or car speaker system
    • Trusted face, face recognition
    • Voice match, “Ok, Google”
  • Samsung – Iris scan …

Device unlock authentication flow

On this page