Error after Fingerprint touched on Samsung phones: android.security.KeyStoreException: Key user not authenticated

Setting KeyGenParameterSpec.setUserAuthenticationRequired(false) can be a potential security issue. The above error should be handled similar to KeyPermanentlyInvalidatedException. KeyPermanentlyInvalidatedException is thrown on Cipher initialization if new fingerprints are added after your SecretKey is created. But, if the Cipher is initialized before the new fingerprints are added, you'll get the above KeyStoreException for Key User not authenticated, when you're trying to encrypt or decrypt with that Cipher.

It's easy to reproduce this error. While your app's fingerprint verification screen is in the background, try adding a new fingerprint. Now switch back to the app, and enter the fingerprint, the encryption or decryption methods would throw this error. I could resolve this issue by catching the exception and treating it the same way as KeyPermanentlyInvalidatedException.

Do NOT listen to the "setUserAuthenticationRequired(false)"

I have been able to reproduce this on Samsung by listening twice. What I think is happening is, you listen twice, authenticate on the one call, but reference it through another.

add Logs and check that you only start listening for fingerprint once and once only.

As I don't expect that the mentioned manufacturers will fix this issue soon, I've resolved it by setting the KeyGenParameterSpec.setUserAuthenticationRequired(false) for Samsung, OnePlus, Asus and some other devices.