Only strong tests will be available, so “developers can be assured of a consistent level of security across all devices their application runs on”, says Google.
A support library will also be provided for devices running earlier versions of Android O. Given the very slow takeup of any new version of Android this sis almost a necessity, to allowing apps to get the benefits of the API across more devices.
This is Google’s high-level architecture of BiometricPrompt:
And they give an example of how a developer might use it in their app:
“The API is intended to be easy to use, allowing the platform to select an appropriate biometric to authenticate with instead of forcing app developers to implement this logic themselves,” writes Vishwath Mohan, a Security Engineer at Google.
You can read the full post. It’s an interesting overview of biometric security, putting it in context of other security approaches, and where new developments fit in with previous models.
For example, he explains that Android 8.1 introduced two new metrics that more explicitly account for an attacker within the security model: Spoof Accept Rate (SAR) and Imposter Accept Rate (IAR). These are in addition to the two metrics traditionally used (borrowed from machine learning): False Accept Rate (FAR), and False Reject Rate (FRR).