使用指纹的密钥认证

Key authentication using fingerprint

我正在阅读 this 文档;

... Such keys can only be generated or imported if at least one fingerprint is enrolled (see FingerprintManager.hasEnrolledFingerprints). These keys become permanently invalidated once a new fingerprint is enrolled or all fingerprints are unenrolled.

我知道当所有登记的指纹都被取消登记时它们会永久失效,但是当有新的指纹登记时是这样吗?

我在想 Android Keystore 从注册的指纹中抽象出密钥用法(当 "authentication-required" 设置在密钥上时)这意味着我可以访问需要由定义的身份验证的密钥我的应用程序,无论使用哪个注册指纹。

那么,这是否意味着一旦我注册了另一个指纹,我的密钥就不能再使用了?或者我对该声明(粗体)的解释非常错误?

显然是这样。

Because that's what Google chose to do to enhance security. If I get your password or pin (and that's easy with binoculars), I can add my fingerprint to make it easier for me (after I've stolen your phone). And I'd be able to do all sorts of stuff from that point on.