When using fingerprint authentication on Android, what happens to the master key?
The key is obviously needed for vault encryption/decryption, so how does it work?
It is stored in the android keystore on the device.
Any Android device which supports fingerprint recognition has a TEE (Trusted Execution Environment) that runs its own little operating system in memory not accessible by Android:
When you use fingerprint auth for Bitwarden, the master key does have to be stored on the phone. But it’s encrypted using a key that only the TEE has. So even if the master key is stored in the main phone storage, it has to be passed to the TEE to be decrypted - and the unencrypted version is not passed back out again. The encryption/decryption that the master key is used for is done within the TEE and only the results are passed back out to Android.
Thanks. I wanted to confirm one thing.
Does this mean that biometric lock with an encrypted master password stored locally is no less secure than when the master password is not stored locally? That, biometric locking is just as safe?
Technically yes. though there were issues with fingerprint readers being spoof by a silly putty finger, those issues were probably worked out over time. Biometric are generally consider pretty safe. I haven’t heard instances where fingerprints data is stolen and used to unlock a phone.
Physically, there are some legal implications though at least in the US. I think there are places where police can compel you to unlock your phone. Criminals can also hit you over the head and use your finger to unlock your phone. However, even with a master password, you can be compelled to unlock with direct physical threats.
Thanks @paulsiu