Skip to main content

Device Unlock Cardholder Verification

When using CdCvmType.DEVICE_UNLOCK cardholder verification, MTP SDK uses Android Keystore system to verify authentication for transaction.

Which means that before making MeaTokenPlatform.register() request to WSP MTP SDK checks, if secure lock screen is enabled and set-up by the user. If everything is ready MTP SDK generates a secure key and imports it in Android KeyStore.

Android Keystore key is only authorized to be used if the user has been authenticated using a subset of their secure lock screen credentials (Pattern, PIN, Password, face ID or Fingerprint).

Android Secure Lock Screen Key Invalidation

Android Keystore keys become permanently invalidated once the secure lock screen is disabled (reconfigured to None, Swipe or other mode which does not authenticate the user) or forcibly reset (e.g. by a Device Administrator).

When key is permanently invalidated, MTP SDK blocks all transactions until new valid Android Keystore key is generated.

New key is generated when wallet app invokes MeaTokenPlatform.authenticateWithDeviceUnlock() method.

Device unlock invalidated key error

Automatic Unlocking

In parallel of secure lock screen user can also set his device to unlock automatically. These features depend on Android version and device manufacturer. Android Keystore does not authorize key to be used, when device is unlocked using automatic unlocking. In this case user needs to authenticate via wallet app or unlock device again using secure unlock.

  • Android Smart Lock
    • On-body detection
    • Trusted places
    • Trusted device, connected to a device like a Bluetooth watch or car speaker system
    • Trusted face, face recognition
    • Voice match, "Ok, Google"
  • Samsung - Iris scan ...

Device Unlock Authentication Flow

Device unlock authentication flow