Here are the requirements for fingerprint sensors in Marshmallow

Google_Nexus 6P_presentation_slides_Android6.0_092615_2

The new Nexus phones are out and everyone seems to be really liking the fingerprint readers in them. However, fingerprint sensors will soon be coming to many other Android phones, but will people find them just as nice to use?

Luckily for other manufactures, Google has laid out all new fingerprint sensor rules for them to make sure everything works correctly with Marshmallow. All they have to do is read Google’s Marshmallow Compatibility Definition Document (CDD). Google does not force manufactures to use fingerprint sensors on their new devices, but they do strongly encourage it.

7.3.10. Fingerprint Sensor
Device implementations with a secure lock screen SHOULD include a fingerprint sensor. If a device implementation includes a fingerprint sensor and has a corresponding API for third-party developers, it:

  • MUST declare support for the android.hardware.fingerprint feature.

  • MUST fully implement the corresponding API as described in the Android SDK documentation [Resources, 95].

  • MUST have a false acceptance rate not higher than 0.002%.

  • Is STRONGLY RECOMMENDED to have a false rejection rate not higher than 10%, and a latency from when the fingerprint sensor is touched until the screen is unlocked below 1 second, for 1 enrolled finger.

  • MUST rate limit attempts for at least 30 seconds after 5 false trials for fingerprint verification.

  • MUST have a hardware-backed keystore implementation, and perform the fingerprint matching in a Trusted Execution Environment (TEE) or on a chip with a secure channel to the TEE.

  • MUST have all identifiable fingerprint data encrypted and cryptographically authenticated such that they cannot be acquired, read or altered outside of the Trusted Execution Environment (TEE) as documented in the implementation guidelines on the Android Open Source Project site [Resources, 96].

  • MUST prevent adding a fingerprint without first establishing a chain of trust by having the user confirm existing or add a new device credential (PIN/pattern/password) using the TEE as implemented in the Android Open Source project.

  • MUST NOT enable 3rd-party applications to distinguish between individual fingerprints.

  • MUST honor the DevicePolicyManager.KEYGUARD_DISABLE_FINGERPRINT flag.

  • MUST, when upgraded from a version earlier than Android 6.0, have the fingerprint data securely migrated to meet the above requirements or removed.

  • SHOULD use the Android Fingerprint icon provided in the Android Open Source Project.

Of course, the most important part is everything stays secure. There are hardware and software that must be used in order to use Google’s fingerprint sensor system. This also includes older versions of Android that move to Android 6.0 Marshmallow updating their fingerprint data or it will be wiped from the device. Possibly meaning current devices with fingerprint sensors might ask you to set it up again after the update.

Source: Android 6.0 Compatibility Definition Document (PDF)
Via: Android Police


About the Author: Brent D'Alessandro

Brent is a graphic designer based in Toronto. Recently, he moved into designing more with Android. You may have seen some of Brent's themes in the popular Android launcher, "Themer." He has also made themes for Samsung's theme store. Aside from using Android devices all day, Brent spends a lot of his free time talking about Android on various forums. Brent was already writing about Android on the internet and figured it was finally time to make the move to a professional writer. When not writing with Talk Android, you can find him on http://www.teamshmo.com/


  • Ken Pendergrass

    is this an issue for exchange accounts where things like face unlock were not approved security passwords for some employees setting up exchange accounts on their phones? Will admins of exchange accounts have to approve fingerprint sensors in marshmallow?

    • Brent

      I have no clue. I would imagine the developers would have to use the same guidelines to build these features into their apps.