android - How to verify website users using smartphone fingerprint authentication or face recognition?

问题描述

I want to provide an alternative login to a website using fingerprint or facial recognition for mobile users (preferably android). Is this possible? If yes, what are the steps?

Most of the information I found deals with mobile apps- even those have security restrictions. I am a bit confused as to the approach. Initially I thought I could store fingerprint data in a database of some sort and match with the fingerprint data provided by the android device, just like password authentication. With further research I found that this is not allowed due to security reasons.

Does Google provide some form of authentication similar to this? I am new to building android apps, but I will appreciate your help even if it involves building a mobile app of some sort just for that particular website (as a last resort). In particular I would like to know how to verify the user on the server side? Assuming I receive a response of some sort from the phone, for example:

PhoneUser={verified: true, ...}

If only I can transmit/store a key(generated during registration) that will be unique to a user's biometric data. Then I could match that with the response from the phone to verify the user. I have heard a little about cryptoobjects would it be a good solution? How do I verify that the fingerprint match belonged to a user on my web application? Do I track the device to make sure it belongs to the user (IMEI) or is this just too big for a simple website?

标签： androidauthenticationfingerprinttwo-factor-authenticationandroid-fingerprint-api